CVE-2025-7407
Published: 10 July 2025
Summary
CVE-2025-7407 is a low-severity Command Injection (CWE-77) vulnerability in Netgear D6400 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
A critical vulnerability tracked as CVE-2025-7407 exists in Netgear D6400 firmware version 1.0.0.114. It is located in the diag.cgi component and stems from improper handling of the host_name argument, resulting in operating system command injection as classified under CWE-77 and CWE-78. The issue permits remote interaction and is present only in a product line that the vendor no longer supports.
An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Public proof-of-concept code has been released, enabling straightforward reproduction of the attack against exposed units.
The vendor was notified in advance, confirmed the flaw, and responded promptly, although the affected hardware receives no further updates or patches because it has reached end of support.
The associated EPSS score has remained flat at 0.0641 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20999
Vulnerability details
A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router web component (diag.cgi) directly enables remote exploitation of a network device (T1190) and arbitrary command execution via its CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by validating and sanitizing the host_name argument in the diag.cgi file to block malicious command execution.
Mandates prohibiting or compensating for unsupported system components like the unpatched Netgear D6400 firmware version 1.0.0.114 vulnerable to this issue.
Restricts remote network access to the vulnerable diag.cgi endpoint through boundary protection, mitigating the AV:N exploitation vector.