CVE-2025-15357
Published: 30 December 2025
Summary
CVE-2025-15357 is a medium-severity Injection (CWE-74) vulnerability in Dlink Di-7400G\+ Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the 'cmd' argument in /msp_info.htm to prevent command injection exploitation.
Mandates identification, reporting, and patching of the specific command injection flaw in D-Link DI-7400G+ firmware version 19.12.25A1.
Requires vulnerability scanning to identify CVE-2025-15357 in deployed routers, enabling remediation before public exploit usage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web interface on public-facing router directly enables exploitation of public-facing application (T1190) and network device CLI command execution (T1059.008).
NVD Description
A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and…
more
could be used.
Deeper analysisAI
CVE-2025-15357 is a command injection vulnerability affecting the D-Link DI-7400G+ router on firmware version 19.12.25A1. The flaw resides in an unknown function within the file /msp_info.htm?flag=cmd, where manipulation of the cmd argument enables command injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with basic access. Exploitation requires network connectivity and low attack complexity but no user interaction. Successful attacks can result in limited impacts, including partial disclosure of sensitive information, modification of data, and denial of some services through arbitrary command execution.
Advisories and references, including VulDB entries (ctiid.338743, id.338743, submit.726376) and the D-Link website, provide further details. A proof-of-concept exploit is publicly available on GitHub at xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection, indicating potential for immediate use by threat actors.
The exploit's public disclosure heightens the risk for exposed D-Link DI-7400G+ devices running the vulnerable firmware.
Details
- CWE(s)