CVE-2025-12295

MediumPublic PoC

Published: 27 October 2025

Published

27 October 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 47.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.

Security Summary

CVE-2025-12295 is a vulnerability involving improper verification of cryptographic signatures in the Firmware Update Handler component of D-Link DAP-2695 firmware version 2.00RC13. The issue resides in the function sub_40C6B8, classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-347 (Improper Verification of Cryptographic Signature). It carries a CVSS v3.1 base score of 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating medium severity with network accessibility but high attack complexity and required high privileges.

The vulnerability enables remote exploitation where an attacker with high privileges can manipulate firmware updates to bypass signature checks, potentially leading to high confidentiality, integrity, and availability impacts. Attacks are described as highly complex with difficult exploitability, though a public exploit is available and could be used against affected devices.

References, including analyses on GitHub and VULDB, detail the flaw but note that it only impacts products no longer supported by D-Link, implying no official patches or mitigations are available. The D-Link website provides general product information but no specific advisory for this CVE. Security practitioners should isolate or decommission affected DAP-2695 devices.

Notable context includes the public availability of the exploit and its restriction to end-of-support hardware, increasing risks in legacy network environments without vendor maintenance.

Details

CWE(s): CWE-345CWE-347

Affected Products

dlink

dap-2695 firmware

2.00

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1542.001 System Firmware Stealth

Adversaries may modify system firmware to persist on systems.

attack.mitre.org →

T1553.002 Code Signing Defense Impairment

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.

attack.mitre.org →

Why these techniques?

Firmware update handler vulnerability allows remote bypass of cryptographic signature verification (CWE-347), enabling exploitation of public-facing application (T1190), subversion of code signing controls (T1553.002), and modification of system firmware for persistence (T1542.001).

References

https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Dlink/DAP-2695_Inte.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.329963
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.329963
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.675854
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com