CVE-2025-69542

CriticalPublic PoC

Published: 09 January 2026

Published

09 January 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0220 84.5th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization.…

When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the command injection by requiring validation and sanitization of the DHCP hostname input before concatenation into system commands.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in the DHCP daemon's lease renewal processing through timely identification, reporting, and correction via patches or updates.

SI-9 Information Input Restrictions partial match

prevent

Restricts the types, sources, and quantity of hostname inputs to the DHCP service, limiting opportunities for malicious command injection payloads.

Security SummaryAI

CVE-2025-69542 is a command injection vulnerability (CWE-77) affecting the DHCP daemon service in D-Link DIR895LA1 routers running firmware version v102b07. The flaw resides in the lease renewal processing logic, where the DHCP hostname parameter supplied by a client is directly concatenated into a system command without proper sanitization, enabling code execution.

Attackers with network access can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By renewing an existing DHCP lease using a malicious hostname, an unauthenticated remote attacker can execute arbitrary commands on the router with root privileges, potentially leading to full device compromise, data theft, or further network pivoting.

Details on mitigation, including any patches or workarounds, are provided in the advisory at https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link.

Details

CWE(s): CWE-77

Affected Products

dlink

dir-895la1 firmware

102b07

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in DHCP daemon enables unauthenticated remote exploitation of a network-accessible service (T1190) for arbitrary root Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link
Third Party Advisory, Exploit · cve@mitre.org