CVE-2025-14225
Published: 08 December 2025
Description
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Security Summary
CVE-2025-14225 is a command injection vulnerability affecting the D-Link DCS-930L camera running firmware version 1.15.04. The flaw exists in an unknown part of the /setSystemAdmin file within the alphapd component, where manipulation of the AdminID argument enables command injection. Published on 2025-12-08, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 and CWE-77.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity and no requirement for user interaction. Attackers can execute arbitrary commands on the device, resulting in limited impacts to confidentiality, integrity, and availability.
Advisories from VulDB and a public GitHub repository detail the issue, including proof-of-concept exploit code, confirming remote executability and public disclosure. The vulnerability only affects products no longer supported by D-Link, with no patches available; mitigation requires isolating or decommissioning affected devices.
The exploit has been publicly disclosed and may be utilized, as noted in recent VulDB entries and the GitHub disclosure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via remote web endpoint (/setSystemAdmin AdminID parameter) enables exploitation of public-facing application (T1190), Unix shell command execution (T1059.004), and indirect command execution (T1202) as identified in advisories.