Cyber Resilience

CVE-2025-5571

MediumPublic PoC

Published: 04 June 2025

Published
04 June 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0359 88.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5571 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dcs-932L Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-5571 is an OS command injection vulnerability in the D-Link DCS-932L network camera running firmware version 2.18.01. It resides in the setSystemAdmin function of the /setSystemAdmin endpoint, where unsanitized input to the AdminID argument is passed to the underlying operating system. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3.

An authenticated remote attacker can supply a crafted AdminID value to execute arbitrary operating-system commands on the device. Because the attack is network-reachable and the exploit code has already been published, an adversary who obtains valid credentials can achieve command execution without further user interaction. The vulnerability affects only the DCS-932L model and only firmware that is no longer supported by D-Link.

Vendor information and public references indicate that the product line has reached end-of-life, so no official patches are expected. The listed references consist of a public exploit disclosure on GitHub together with VulDB entries that document the issue; the D-Link site simply confirms the device is unsupported. The associated EPSS score remains low and unchanged at 0.0359, indicating no material increase in observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in the web endpoint /setSystemAdmin of the public-facing D-Link DCS-932L IP camera enables exploitation of public-facing applications (T1190) and arbitrary OS command execution via command and scripting interpreters (T1059).

Affected Assets

dlink
dcs-932l firmware
2.18.01

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References