CVE-2025-7407

MediumPublic PoC

Published: 10 July 2025

Published

10 July 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0641 91.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7407 is a medium-severity Command Injection (CWE-77) vulnerability in Netgear D6400 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing the host_name argument in the diag.cgi file to block malicious command execution.

SA-22 Unsupported System Components good match

prevent

Mandates prohibiting or compensating for unsupported system components like the unpatched Netgear D6400 firmware version 1.0.0.114 vulnerable to this issue.

SC-7 Boundary Protection partial match

prevent

Restricts remote network access to the vulnerable diag.cgi endpoint through boundary protection, mitigating the AV:N exploitation vector.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

OS command injection in public-facing router web component (diag.cgi) directly enables remote exploitation of a network device (T1190) and arbitrary command execution via its CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack…

remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-7407 is a critical vulnerability involving OS command injection in the Netgear D6400 router running firmware version 1.0.0.114. The issue resides in an unspecified component of the diag.cgi file, where manipulation of the host_name argument enables the injection. It is remotely exploitable and classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows limited impacts, including low confidentiality, integrity, and availability effects through arbitrary OS command execution on the device.

References, including VulDB entries and a GitHub repository, disclose a proof-of-concept exploit and confirm the vendor was notified early, acknowledged the issue promptly and professionally, but noted that only unsupported products are affected, implying no patches are available from the maintainer. Security practitioners should prioritize isolating or retiring affected D6400 devices, as public exploit details may enable active attacks.

Details

CWE(s): CWE-77 CWE-78

Affected Products

netgear

d6400 firmware

1.0.0.114

CVEs Like This One

CVE-2025-28219Same vendor: Netgear

CVE-2024-54802Same vendor: Netgear

CVE-2025-50526Same vendor: Netgear

CVE-2026-5978Shared CWE-77, CWE-78

CVE-2026-5351Shared CWE-77, CWE-78

CVE-2026-3040Shared CWE-77, CWE-78

CVE-2026-4499Shared CWE-77, CWE-78

CVE-2026-4627Shared CWE-77, CWE-78

CVE-2026-6115Shared CWE-77, CWE-78

CVE-2026-6132Shared CWE-77, CWE-78

References

https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md
Exploit · cna@vuldb.com
https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md#poc
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.315867
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.315867
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.603668
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.netgear.com/
Product · cna@vuldb.com
https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md#poc
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0