CVE-2025-1800
Published: 01 March 2025
Summary
CVE-2025-1800 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dar-7000 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates risks from end-of-support products like the D-Link DAR-7000 by requiring replacement, isolation, or additional controls for unpatched vulnerabilities.
Prevents command injection by enforcing validation of the ethname argument in the vulnerable HTTP POST request handler.
Limits the scope and impact of arbitrary command execution from low-privilege exploitation by enforcing least privilege on the affected component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote command injection vulnerability in the HTTP POST handler of the web interface (/view/vpn/sxh_vpn/sxh_vpnlic.php) enables exploitation of a public-facing application (T1190) and execution of arbitrary Unix shell commands via the 'ethname' parameter (T1059.004).
NVD Description
A vulnerability has been found in D-Link DAR-7000 3.2 and classified as critical. This vulnerability affects the function get_ip_addr_details of the file /view/vpn/sxh_vpn/sxh_vpnlic.php of the component HTTP POST Request Handler. The manipulation of the argument ethname leads to command injection.…
more
The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-1800 is a command injection vulnerability classified as critical in D-Link DAR-7000 version 3.2. It affects the get_ip_addr_details function within the file /view/vpn/sxh_vpn/sxh_vpnlic.php of the HTTP POST Request Handler component. The issue arises from manipulation of the ethname argument, enabling command injection. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 and CWE-77. It exclusively impacts products no longer supported by the maintainer.
An attacker with low privileges can exploit this vulnerability remotely by crafting an HTTP POST request that injects arbitrary commands via the ethname argument. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized command execution on the device.
Advisories note that no patches are available, as the affected D-Link DAR-7000 devices are end-of-support. References from VulDB and a GitHub repository disclose the exploit publicly, indicating it may be actively used. Practitioners should prioritize isolating or decommissioning these unsupported devices.
The exploit has been disclosed to the public, increasing the risk for exposed instances of this EOL product.
Details
- CWE(s)