CVE-2025-4340
Published: 06 May 2025
Summary
CVE-2025-4340 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dir-806 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability exists in the sub_175C8 function of /htdocs/soap.cgi on D-Link DIR-890L and DIR-806A1 routers running firmware up to 100CNb11/108B03. The flaw, tracked as CVE-2025-4340 and assigned CWE-74 and CWE-77, allows an attacker to inject and execute arbitrary commands through the SOAP interface. The affected devices are no longer supported by D-Link.
An authenticated remote attacker can exploit the issue over the network without user interaction to execute commands on the device. Successful exploitation grants limited control over the router, including the ability to modify configuration or access local resources. A public proof-of-concept has been released, and the vulnerability carries a CVSS 4.0 score of 5.3.
The listed references point to a detailed exploit description on GitHub and entries in VulDB, but contain no vendor-supplied patches or mitigation guidance. The current and peak EPSS score remains flat at 0.0278, indicating limited observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13558
Vulnerability details
A vulnerability classified as critical has been found in D-Link DIR-890L and DIR-806A1 up to 100CNb11/108B03. Affected is the function sub_175C8 of the file /htdocs/soap.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The…
more
exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in the public-facing soap.cgi web interface on D-Link routers enables remote exploitation of public-facing applications (T1190) for initial access and subsequent Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.