CVE-2025-25895

High

Published: 18 February 2025

Published

18 February 2025

Modified

02 May 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the public_type parameter. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet.

Security Summary

CVE-2025-25895, published on 2025-02-18, is an OS command injection vulnerability (CWE-78) in D-Link DSL-3782 v1.01, exploitable via the public_type parameter. The flaw enables attackers to execute arbitrary operating system commands by sending a crafted packet to the affected router.

According to its CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by attackers with adjacent network access and low privileges, requiring low complexity and no user interaction. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to full system control on the device.

Advisories are documented in references at https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_3_en.pdf.

Details

CWE(s): CWE-78

Affected Products

dlink

dsl-3782 firmware

1.01

References

https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_3_en.pdf
Broken Link · cve@mitre.org
https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_3_en.pdf
Broken Link · 134c704f-9b21-4f2e-91b3-4a467353bcc0