CVE-2025-25893
Published: 18 February 2025
Description
An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the inIP, insPort, inePort, exsPort, exePort, and protocol parameters. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet.
Security Summary
CVE-2025-25893 is an OS command injection vulnerability (CWE-78) affecting the D-Link DSL-3782 router running firmware version 1.01. The flaw exists in the handling of the inIP, insPort, inePort, exsPort, exePort, and protocol parameters, enabling attackers to execute arbitrary operating system commands through a specially crafted packet. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Exploitation requires an attacker to have adjacent network access (AV:A) and low privileges (PR:L), with low attack complexity and no user interaction needed. Successful exploitation allows arbitrary command execution on the underlying OS, potentially granting full control over the device, including data exfiltration, modification of configurations, or disruption of services.
Mitigation details and further technical analysis are documented in the referenced advisories, available at https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_2_en.pdf.
Details
- CWE(s)