Cyber Resilience

CVE-2025-7407

LowPublic PoC

Published: 10 July 2025

Published
10 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0641 91.2th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7407 is a low-severity Command Injection (CWE-77) vulnerability in Netgear D6400 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A critical vulnerability tracked as CVE-2025-7407 exists in Netgear D6400 firmware version 1.0.0.114. It is located in the diag.cgi component and stems from improper handling of the host_name argument, resulting in operating system command injection as classified under CWE-77 and CWE-78. The issue permits remote interaction and is present only in a product line that the vendor no longer supports.

An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Public proof-of-concept code has been released, enabling straightforward reproduction of the attack against exposed units.

The vendor was notified in advance, confirmed the flaw, and responded promptly, although the affected hardware receives no further updates or patches because it has reached end of support.

The associated EPSS score has remained flat at 0.0641 with no material increase after disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack…

more

remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection in public-facing router web component (diag.cgi) directly enables remote exploitation of a network device (T1190) and arbitrary command execution via its CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-28219Same vendor: Netgear
CVE-2022-40619Same vendor: Netgear
CVE-2025-50526Same vendor: Netgear
CVE-2024-54802Same vendor: Netgear
CVE-2024-12847Same vendor: Netgear
CVE-2026-5994Shared CWE-77, CWE-78
CVE-2026-7538Shared CWE-77, CWE-78
CVE-2026-7124Shared CWE-77, CWE-78
CVE-2026-5853Shared CWE-77, CWE-78
CVE-2026-5997Shared CWE-77, CWE-78

Affected Assets

netgear
d6400 firmware
1.0.0.114

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating and sanitizing the host_name argument in the diag.cgi file to block malicious command execution.

prevent

Mandates prohibiting or compensating for unsupported system components like the unpatched Netgear D6400 firmware version 1.0.0.114 vulnerable to this issue.

prevent

Restricts remote network access to the vulnerable diag.cgi endpoint through boundary protection, mitigating the AV:N exploitation vector.

References