CVE-2018-25120
Published: 29 October 2025
Summary
CVE-2018-25120 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dns-343 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted form parameters in the Mail Test endpoint to prevent command injection into the system email utility.
Mandates identification, reporting, and correction of flaws like this command injection vulnerability through timely patching or mitigation.
Prohibits deployment or continued use of unsupported end-of-life components such as the unpatched D-Link DNS-343 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing web interface (Mail Test endpoint), enabling unauthenticated remote exploitation for Unix shell execution with root privileges.
NVD Description
D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in…
more
a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.
Deeper analysisAI
CVE-2018-25120 is a command injection vulnerability (CWE-78) affecting D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05. The flaw resides in the Mail Test functionality, where the web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and passes several form parameters directly to a system email utility without proper input validation, enabling arbitrary command injection.
An unauthenticated remote attacker can exploit this vulnerability by supplying crafted form data to the endpoint, resulting in shell command execution with root privileges on the device. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, requiring no privileges or user interaction and allowing high-impact confidentiality, integrity, and availability violations over the network.
Advisories, including those from VulnCheck and independent researchers, document the vulnerability and provide proof-of-concept exploits, such as the one available on Exploit-DB. The D-Link DNS-343 product line has been declared end-of-life, with no patches available for this issue.
Notable context includes public exploit code on Exploit-DB, confirming practical exploitability, though no widespread real-world exploitation has been reported in the provided details.
Details
- CWE(s)