CVE-2025-25894

High

Published: 18 February 2025

Published

18 February 2025

Modified

02 May 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the samba_wg and samba_nbn parameters. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet.

Security Summary

CVE-2025-25894 is an OS command injection vulnerability (CWE-78) discovered in D-Link DSL-3782 v1.01, affecting the samba_wg and samba_nbn parameters. This flaw allows attackers to execute arbitrary operating system commands via a crafted packet, as published on 2025-02-18 with a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with adjacent network access (AV:A) and low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables arbitrary command execution on the device, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to full router compromise.

Advisories with further details, including potential mitigation guidance, are available in the referenced document at https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_1_en.pdf.

Details

CWE(s): CWE-78

Affected Products

dlink

dsl-3782 firmware

1.01

References

https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_1_en.pdf
Broken Link · cve@mitre.org
https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_1_en.pdf
Broken Link · 134c704f-9b21-4f2e-91b3-4a467353bcc0