CVE-2025-6896
Published: 30 June 2025
Summary
CVE-2025-6896 is a low-severity Command Injection (CWE-77) vulnerability in Dlink Di-7300G\+ Firmware. Its CVSS base score is 2.1 (Low).
Operationally, ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical vulnerability has been identified in the D-Link DI-7300G+ firmware version 19.12.25A1. The issue resides in an unknown function within the wget_test.asp file, where improper handling of the url argument enables OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1 reflecting network attack vector, low complexity, and low required privileges.
An attacker with low privileges can exploit the vulnerability remotely by supplying a crafted url value to the affected endpoint. Successful exploitation grants the ability to execute arbitrary operating system commands, resulting in limited impacts to confidentiality, integrity, and availability on the device. The exploit code has already been made public.
The associated EPSS score remains flat at 0.0207 with no material increase observed after disclosure. Public references include a detailed proof-of-concept document and multiple Vuldb entries, while the vendor site provides the primary point of contact for any subsequent firmware updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19516
Vulnerability details
A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os command injection. It is possible to launch the attack remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.