Cyber Resilience

CVE-2025-14659

HighPublic PoCRCE

Published: 14 December 2025

Published
14 December 2025
Modified
08 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0169 82.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14659 is a high-severity Injection (CWE-74) vulnerability in Dlink Dir-868L B1 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14659 is a command injection vulnerability affecting the DHCP Daemon component in D-Link routers DIR-860LB1 firmware version 203b03 and DIR-868LB1 firmware version 203b01. The issue arises from improper handling of the Hostname argument in an unknown function, allowing attackers to inject arbitrary commands. This flaw, associated with CWE-74 and CWE-77, was published on 2025-12-14 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), such as a user on the local network who can interact with the DHCP service. By manipulating the Hostname argument, the attacker can execute arbitrary commands on the device, potentially achieving remote code execution and full compromise of the router, including data theft, modification of configurations, or disruption of network services.

Advisories detailing the vulnerability, including proof-of-concept exploits, are available in references such as the Notion pages for DIR-860LB1 and DIR-868LB1, along with VulDB entries (ctiid.336391, id.336391, submit.713701). No specific patches or mitigations are detailed in the provided information.

The exploit is public and may be used by attackers, increasing the risk for unpatched devices.

EU & UK References

Vulnerability details

A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit…

more

is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in DHCP daemon enables exploitation of public-facing network service (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2194Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4203Same vendor: Dlink
CVE-2026-4207Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4210Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2025-10634Same vendor: Dlink
CVE-2025-10629Same vendor: Dlink
CVE-2026-8345Same vendor: Dlink

Affected Assets

dlink
dir-868l b1 firmware
≤ 203b01
dlink
dir-860l b1 firmware
≤ 203b03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection flaw in the DHCP daemon by identifying, prioritizing, and applying patches or updates to vulnerable firmware.

prevent

Validates untrusted hostname inputs to the DHCP daemon to prevent injection of arbitrary commands.

prevent

Enforces least privilege on the DHCP daemon process to limit the impact and privileges of any successfully injected commands.

References