CVE-2025-57105
Published: 22 August 2025
Summary
CVE-2025-57105 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Di-7400G\+ Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 28.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific command injection flaw in sub_478D28 and sub_4A12DC functions of the jhttpd program, preventing arbitrary command execution via the ac_mng_srv_host parameter.
Validates the ac_mng_srv_host parameter at the input points in mng_platform.asp and wayos_ac_server.asp to block malicious command injection payloads.
Enforces boundary protection on the router's management interfaces to restrict network access and mitigate remote unauthenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the router's web management interfaces (mng_platform.asp and wayos_ac_server.asp) enables authenticated remote attackers to execute arbitrary Unix shell commands via the system() function after injecting payloads into NVRAM, mapping to exploitation of remote services and Unix shell execution.
NVD Description
The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host.
Deeper analysisAI
CVE-2025-57105 is a command injection vulnerability (CWE-77) affecting the DI-7400G+ router. The issue resides in the sub_478D28 function within mng_platform.asp and the sub_4A12DC function within wayos_ac_server.asp of the jhttpd program, exploitable through the ac_mng_srv_host parameter. This flaw enables attackers to execute arbitrary commands on the device and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication privileges or user interaction. Successful exploitation allows arbitrary command execution on the underlying router operating system, potentially leading to full device compromise, such as data theft, configuration manipulation, or use as a pivot for further network attacks.
D-Link advisories and product support information are available at https://www.dlink.com/en/security-bulletin/ and https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-7400G%2B. Proof-of-concept code demonstrating the vulnerability is published in the GitHub repository https://github.com/xyh4ck/iot_poc.
Details
- CWE(s)