Cyber Resilience

CVE-2025-4903

MediumPublic PoC

Published: 19 May 2025

Published
19 May 2025
Modified
27 May 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0169 82.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4903 is a medium-severity Unverified Password Change (CWE-620) vulnerability in Dlink Di-7003G Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical vulnerability tracked as CVE-2025-4903 exists in the D-Link DI-7003GV2 router on firmware version 24.04.18D1 R(68125). The issue occurs in function sub_41F4F0 of /H5/webgl.asp when handling parameters such as tggl_port, remote_management, http_passwd, and exec_service; improper handling permits an unverified password change and is tracked under CWE-620 and CWE-640.

An unauthenticated attacker can exploit the flaw over the network by submitting a crafted request to the web interface, resulting in an immediate administrative password reset that grants control of the device. The exploit has already been published publicly.

EPSS remains flat at 0.0169 with no material rise after disclosure. Public references include a detailed technical write-up on GitHub, multiple VulDB entries, and the vendor site, though no specific mitigation steps or firmware patches are described in the available information.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). This affects the function sub_41F4F0 of the file /H5/webgl.asp?tggl_port=0&remote_management=0&http_passwd=game&exec_service=admin-restart. The manipulation leads to unverified password change. It is possible to initiate the attack remotely. The exploit…

more

has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

The vulnerability enables remote, unauthenticated password changes on the admin account via the web management interface, mapping to exploitation of a public-facing application (T1190), account manipulation via password modification (T1098), and exploitation specifically for credential access (T1212).

Affected Assets

dlink
di-7003g firmware
24.04.18d1_r\(68125\)

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-640

Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.

References