CVE-2025-15245
Description
A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in D-Link DCS-850L firmware upload allows local network attackers to manipulate files via DownloadFile argument, affecting an end-of-life product.
Vulnerability
Overview A path traversal vulnerability exists in the uploadfirmware function of D-Link DCS-850L camera firmware version 1.02.09 [1]. The flaw is triggered by manipulating the DownloadFile argument, which does not properly sanitize user input, allowing directory traversal sequences.
Exploitation
The attack requires the attacker to be on the same local network as the vulnerable device. No authentication is mentioned, so the function may be accessible without credentials. A public exploit has been released, increasing the risk of active attacks against unsupported devices.
Impact
Successful exploitation enables an attacker to traverse directories on the device, potentially leading to unauthorized file access or modification. In the context of a firmware update service, this could allow the upload of malicious firmware or extraction of sensitive files.
Mitigation
The D-Link DCS-850L is an end-of-life product no longer supported by the vendor [1]. No patch will be released. Users are advised to replace the device or implement network segmentation to limit exposure.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:o:dlink:dcs-850l_firmware:1.02.09:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- tzh00203.notion.site/D-Link-DCS850L-v1-02-09-Path-Traversal-Vulnerability-in-Firmware-Update-2d8b5c52018a803abbc7e30e2858d084nvdExploitThird Party Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
- www.dlink.comnvdProduct
News mentions
0No linked articles in our index yet.