CVE-2025-1800
Published: 01 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-1800 is a command injection vulnerability classified as critical in D-Link DAR-7000 version 3.2. It affects the get_ip_addr_details function within the file /view/vpn/sxh_vpn/sxh_vpnlic.php of the HTTP POST Request Handler component. The issue arises from manipulation of the ethname argument, enabling command injection. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 and CWE-77. It exclusively impacts products no longer supported by the maintainer.
An attacker with low privileges can exploit this vulnerability remotely by crafting an HTTP POST request that injects arbitrary commands via the ethname argument. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized command execution on the device.
Advisories note that no patches are available, as the affected D-Link DAR-7000 devices are end-of-support. References from VulDB and a GitHub repository disclose the exploit publicly, indicating it may be actively used. Practitioners should prioritize isolating or decommissioning these unsupported devices.
The exploit has been disclosed to the public, increasing the risk for exposed instances of this EOL product.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote command injection vulnerability in the HTTP POST handler of the web interface (/view/vpn/sxh_vpn/sxh_vpnlic.php) enables exploitation of a public-facing application (T1190) and execution of arbitrary Unix shell commands via the 'ethname' parameter (T1059.004).