Description
A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Published: 2025-06-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E routers. An unauthenticated remote attacker can supply crafted requests to the getpage parameter in the /cgi-bin/webproc CGI script, allowing the attacker to read arbitrary files from the device. This can lead to disclosure of sensitive configuration, credentials, or firmware files, thereby compromising confidentiality and potentially enabling further compromise of the network segment the router protects.

Affected Systems

The flaw affects D-Link DSL-2730U, DSL-2750U, and DSL-2750E routers running firmware versions IN_1.02, SEA_1.04, or SEA_1.07. The affected products are commonly used in small‑business and residential environments where the router’s web interface is exposed to WAN or internal networks.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, and the EPSS score below 1% indicates that exploitation may currently be uncommon, yet the ability to read arbitrary files without authentication remains a serious threat. The vulnerability is not listed in the CISA KEV catalog, but the existence of publicly available proof‑of‑concept code and documented exploitation suggests that attackers could target vulnerable devices if it remains unpatched. The attack requires network connectivity to the router’s management interface and does not rely on privileged access or knowledge of credentials.

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the firmware of the affected D-Link routers to the latest version that removes the vulnerable getpage parameter in the /cgi-bin/webproc CGI script.
  • Restrict external access to the router’s web interface by limiting management traffic to trusted internal networks or by applying firewall rules that block WAN or untrusted subnet traffic.
  • Consider implementing network segmentation to isolate the router from critical internal systems, thereby limiting the impact of any future exploitation.

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19207 A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device.
History

Fri, 21 Nov 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dcs-2750e
D-link dsl-2750u
Dlink
Dlink dsl-2730u Firmware
CPEs cpe:2.3:a:d-link:dcs-2750e:sea_1.04:*:*:*:*:*:*:*
cpe:2.3:a:d-link:dcs-2750e:sea_1.07:*:*:*:*:*:*:*
cpe:2.3:h:d-link:dsl-2750u:sea_1.04:*:*:*:*:*:*:*
cpe:2.3:h:d-link:dsl-2750u:sea_1.07:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dsl-2730u_firmware:in_1.02:*:*:*:*:*:*:*
Vendors & Products D-link
D-link dcs-2750e
D-link dsl-2750u
Dlink
Dlink dsl-2730u Firmware

Mon, 17 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 17 Nov 2025 21:00:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device. A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00255}

 epss

{'score': 0.00261}

Thu, 26 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device.
Title D-Link DSL-2730U/2750U/2750E Path Traversal Arbitrary File Read
Weaknesses CWE-20
CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

D-link Dcs-2750e Dsl-2750u
Dlink Dsl-2730u Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:12.488Z

Reserved: 2025-04-15T19:15:22.547Z

Link: CVE-2025-34048

cve-icon Vulnrichment

Updated: 2025-06-26T17:41:34.929Z

cve-icon NVD

Status : Deferred

Published: 2025-06-26T16:15:28.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses