Cyber Resilience

CVE-2025-69542

CriticalPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0843 94.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69542 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dir-895La1 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69542 is a command injection vulnerability (CWE-77) affecting the DHCP daemon service in D-Link DIR895LA1 routers running firmware version v102b07. The flaw resides in the lease renewal processing logic, where the DHCP hostname parameter supplied by a client is directly concatenated into a system command without proper sanitization, enabling code execution.

Attackers with network access can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By renewing an existing DHCP lease using a malicious hostname, an unauthenticated remote attacker can execute arbitrary commands on the router with root privileges, potentially leading to full device compromise, data theft, or further network pivoting.

Details on mitigation, including any patches or workarounds, are provided in the advisory at https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization.…

more

When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in DHCP daemon enables unauthenticated remote exploitation of a network-accessible service (T1190) for arbitrary root Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29635Same vendor: Dlink
CVE-2026-36983Same vendor: Dlink
CVE-2026-4209Same vendor: Dlink
CVE-2026-1596Same vendor: Dlink
CVE-2026-2152Same vendor: Dlink
CVE-2025-14659Same vendor: Dlink
CVE-2026-2157Same vendor: Dlink
CVE-2026-4210Same vendor: Dlink
CVE-2026-1624Same vendor: Dlink
CVE-2025-1800Same vendor: Dlink

Affected Assets

dlink
dir-895la1 firmware
102b07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection by requiring validation and sanitization of the DHCP hostname input before concatenation into system commands.

prevent

Addresses the specific flaw in the DHCP daemon's lease renewal processing through timely identification, reporting, and correction via patches or updates.

prevent

Restricts the types, sources, and quantity of hostname inputs to the DHCP service, limiting opportunities for malicious command injection payloads.

References