CVE-2025-15391

MediumPublic PoC

Published: 31 December 2025

Published

31 December 2025

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0012 31.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public…

and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported system components like the end-of-life D-Link DIR-806A firmware, preventing exploitation of unpatched command injection vulnerabilities.

SI-10 Information Input Validation good match

prevent

Requires validation of SSDP request inputs to the ssdpcgi_main function, directly preventing command injection attacks.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control inbound network traffic, blocking remote malicious SSDP requests targeting the vulnerable handler.

Security SummaryAI

CVE-2025-15391 is a command injection vulnerability (CWE-74, CWE-77) in the ssdpcgi_main function of the SSDP Request Handler component within D-Link DIR-806A firmware version 100CNb11. This flaw affects only products that are no longer supported by the maintainer, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation over the network by attackers with low privileges. Manipulation of SSDP requests triggers command injection, potentially allowing limited impacts on confidentiality, integrity, and availability. A public exploit is available, facilitating potential real-world attacks on vulnerable devices.

Advisories from VulDB and a GitHub repository detail the issue and provide exploit code, confirming remote command injection without mentioning patches due to the product's end-of-support status. The D-Link website is referenced but offers no specific mitigation for this unsupported firmware.

Details

CWE(s): CWE-74 CWE-77

Affected Products

dlink

dir-806a firmware

100cnb11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in public-facing SSDP Request Handler on router firmware enables exploitation of public-facing application (T1190) and remote Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ccc-iotsec/cve-/blob/D-Link/D-Link%20DIR-806A%E6%9C%AA%E6%8E%88%E6%9D%83RCE.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.339152
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.339152
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.727637
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com