Cyber Resilience

CVE-2025-57105

CriticalPublic PoCRCE

Published: 22 August 2025

Published
22 August 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0107 78.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57105 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Di-7400G\+ Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The DI-7400G+ router is affected by a command injection vulnerability tracked as CVE-2025-57105. The flaw resides in the jhttpd program, specifically the sub_478D28 function within mng_platform.asp and the sub_4A12DC function within wayos_ac_server.asp, both triggered through the ac_mng_srv_host parameter. It carries a CVSS 3.1 score of 9.8 and is classified under CWE-77.

Remote attackers can exploit the issue without authentication or user interaction by supplying crafted input to the affected ASP endpoints, resulting in arbitrary command execution on the device with full impact to confidentiality, integrity, and availability.

Vendor advisories and product information are referenced at the D-Link support pages http://di-7400.com, https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-7400G%2B, and https://www.dlink.com/en/security-bulletin/, while proof-of-concept material appears in the public repository https://github.com/xyh4ck/iot_poc. The EPSS score remains flat at 0.0107 with no material increase observed since publication.

EU & UK References

Vulnerability details

The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The command injection vulnerability in the router's web management interfaces (mng_platform.asp and wayos_ac_server.asp) enables authenticated remote attackers to execute arbitrary Unix shell commands via the system() function after injecting payloads into NVRAM, mapping to exploitation of remote services and Unix shell execution.

CVEs Like This One

CVE-2025-15357Same product: Dlink Di-7400G\+
CVE-2025-25743Same vendor: Dlink
CVE-2025-29635Same vendor: Dlink
CVE-2025-69542Same vendor: Dlink
CVE-2026-36983Same vendor: Dlink
CVE-2026-3485Same vendor: Dlink
CVE-2025-7836Same vendor: Dlink
CVE-2025-55848Same vendor: Dlink
CVE-2025-60854Same vendor: Dlink
CVE-2026-2120Same vendor: Dlink

Affected Assets

dlink
di-7400g\+ firmware
19.12.25a1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific command injection flaw in sub_478D28 and sub_4A12DC functions of the jhttpd program, preventing arbitrary command execution via the ac_mng_srv_host parameter.

prevent

Validates the ac_mng_srv_host parameter at the input points in mng_platform.asp and wayos_ac_server.asp to block malicious command injection payloads.

prevent

Enforces boundary protection on the router's management interfaces to restrict network access and mitigate remote unauthenticated exploitation.

References