CVE-2018-25120

CVE-2018-25120 is a command injection vulnerability (CWE-78) affecting D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05. The flaw resides in the Mail Test functionality, where the web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and passes several form parameters directly to a system email utility without proper input validation, enabling arbitrary command injection.

An unauthenticated remote attacker can exploit this vulnerability by supplying crafted form data to the endpoint, resulting in shell command execution with root privileges on the device. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, requiring no privileges or user interaction and allowing high-impact confidentiality, integrity, and availability violations over the network.

Advisories, including those from VulnCheck and independent researchers, document the vulnerability and provide proof-of-concept exploits, such as the one available on Exploit-DB. The D-Link DNS-343 product line has been declared end-of-life, with no patches available for this issue.

Notable context includes public exploit code on Exploit-DB, confirming practical exploitability, though no widespread real-world exploitation has been reported in the provided details.