Cyber Resilience

CVE-2018-25120

CriticalPublic PoCRCE

Published: 29 October 2025

Published
29 October 2025
Modified
28 November 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 76.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25120 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dns-343 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-25120 is a command injection vulnerability (CWE-78) affecting D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05. The flaw resides in the Mail Test functionality, where the web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and passes several form parameters directly to a system email utility without proper input validation, enabling arbitrary command injection.

An unauthenticated remote attacker can exploit this vulnerability by supplying crafted form data to the endpoint, resulting in shell command execution with root privileges on the device. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, requiring no privileges or user interaction and allowing high-impact confidentiality, integrity, and availability violations over the network.

Advisories, including those from VulnCheck and independent researchers, document the vulnerability and provide proof-of-concept exploits, such as the one available on Exploit-DB. The D-Link DNS-343 product line has been declared end-of-life, with no patches available for this issue.

Notable context includes public exploit code on Exploit-DB, confirming practical exploitability, though no widespread real-world exploitation has been reported in the provided details.

EU & UK References

Vulnerability details

D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in…

more

a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is a command injection in a public-facing web interface (Mail Test endpoint), enabling unauthenticated remote exploitation for Unix shell execution with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Same vendor: Dlink
CVE-2013-10048Same vendor: Dlink
CVE-2013-10069Same vendor: Dlink
CVE-2025-25894Same vendor: Dlink
CVE-2013-10050Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2026-2151Same vendor: Dlink

Affected Assets

dlink
dns-343 firmware
≤ 1.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted form parameters in the Mail Test endpoint to prevent command injection into the system email utility.

prevent

Mandates identification, reporting, and correction of flaws like this command injection vulnerability through timely patching or mitigation.

prevent

Prohibits deployment or continued use of unsupported end-of-life components such as the unpatched D-Link DNS-343 firmware.

References