Cyber Resilience

CVE-2025-15357

MediumPublic PoC

Published: 30 December 2025

Published
30 December 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0380 88.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15357 is a medium-severity Injection (CWE-74) vulnerability in Dlink Di-7400G\+ Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-15357 is a command injection vulnerability affecting the D-Link DI-7400G+ router on firmware version 19.12.25A1. The flaw resides in an unknown function within the file /msp_info.htm?flag=cmd, where manipulation of the cmd argument enables command injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with basic access. Exploitation requires network connectivity and low attack complexity but no user interaction. Successful attacks can result in limited impacts, including partial disclosure of sensitive information, modification of data, and denial of some services through arbitrary command execution.

Advisories and references, including VulDB entries (ctiid.338743, id.338743, submit.726376) and the D-Link website, provide further details. A proof-of-concept exploit is publicly available on GitHub at xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection, indicating potential for immediate use by threat actors.

The exploit's public disclosure heightens the risk for exposed D-Link DI-7400G+ devices running the vulnerable firmware.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and…

more

could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection via web interface on public-facing router directly enables exploitation of public-facing application (T1190) and network device CLI command execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-57105Same product: Dlink Di-7400G\+
CVE-2026-0732Same vendor: Dlink
CVE-2026-1125Same vendor: Dlink
CVE-2026-2163Same vendor: Dlink
CVE-2025-15191Same vendor: Dlink
CVE-2025-10401Same vendor: Dlink
CVE-2025-7192Same vendor: Dlink
CVE-2025-13306Same vendor: Dlink
CVE-2025-60854Same vendor: Dlink
CVE-2025-55848Same vendor: Dlink

Affected Assets

dlink
di-7400g\+ firmware
19.12.25a1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'cmd' argument in /msp_info.htm to prevent command injection exploitation.

prevent

Mandates identification, reporting, and patching of the specific command injection flaw in D-Link DI-7400G+ firmware version 19.12.25A1.

detect

Requires vulnerability scanning to identify CVE-2025-15357 in deployed routers, enabling remediation before public exploit usage.

References