Cyber Posture

CVE-2025-25894

High

Published: 18 February 2025

Published
18 February 2025
Modified
02 May 2025
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25894 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dsl-3782 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by requiring validation of untrusted inputs such as the samba_wg and samba_nbn parameters in crafted packets.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of the specific command injection flaw in D-Link DSL-3782 firmware to eliminate the vulnerability.

SI-9 Information Input Restrictions good match
prevent

Restricts insertion of malicious input types, such as command separators, into the vulnerable samba_wg and samba_nbn parameters to block injection attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection (CWE-78) in router parameters directly enables remote arbitrary command execution via crafted input, mapping to exploitation of the network device application (T1190) and Unix shell command interpreter usage (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the samba_wg and samba_nbn parameters. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet.

Deeper analysisAI

CVE-2025-25894 is an OS command injection vulnerability (CWE-78) discovered in D-Link DSL-3782 v1.01, affecting the samba_wg and samba_nbn parameters. This flaw allows attackers to execute arbitrary operating system commands via a crafted packet, as published on 2025-02-18 with a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with adjacent network access (AV:A) and low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables arbitrary command execution on the device, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to full router compromise.

Advisories with further details, including potential mitigation guidance, are available in the referenced document at https://github.com/2664521593/mycve/blob/main/CJ_in_D-Link_DSL-3782_1_en.pdf.

Details

CWE(s)
CWE-78

Affected Products

dlink
dsl-3782 firmware
1.01

CVEs Like This One

CVE-2025-25893Same product: Dlink Dsl-3782
CVE-2025-25895Same product: Dlink Dsl-3782
CVE-2026-2175Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-2081Same vendor: Dlink
CVE-2026-2152Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-2063Same vendor: Dlink
CVE-2026-2129Same vendor: Dlink

References