CVE-2025-9387
Published: 24 August 2025
Summary
CVE-2025-9387 is a low-severity Command Injection (CWE-77) vulnerability in Dcnetworks Dcme-720 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9387 is an OS command injection vulnerability affecting the DCN DCME-720 appliance at firmware version 9.1.5.11. It resides in an unspecified function of the file /usr/local/www/function/audit/newstatistics/ip_block.php within the Web Management Backend component and stems from insufficient sanitization of the ip argument, corresponding to CWE-77 and CWE-78.
An authenticated remote attacker with low-privileged access can supply a crafted ip value to the endpoint and execute arbitrary operating system commands. The attack is network-reachable with low complexity and no user interaction required, producing limited effects on confidentiality, integrity, and availability per the CVSS 2.1 rating.
Public proof-of-concept code has been published on GitHub, and the vendor was contacted prior to disclosure but did not respond. The associated EPSS score has remained flat at 0.0125 with no material rise after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25740
Vulnerability details
A vulnerability was found in DCN DCME-720 9.1.5.11. This affects an unknown function of the file /usr/local/www/function/audit/newstatistics/ip_block.php of the component Web Management Backend. Performing manipulation of the argument ip results in os command injection. It is possible to initiate the…
more
attack remotely. The exploit has been made public and could be used. Other products might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote OS command injection in the web management backend (/usr/local/www/function/audit/newstatistics/ip_block.php), enabling exploitation of a public-facing web application (T1190) and execution of Unix shell commands via tainted input (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'ip' argument before it reaches the OS command execution path in ip_block.php.
Limits the privileges available to the low-privilege account used for remote exploitation, reducing the scope of injectable OS commands.
Enables monitoring of web-backend processes and command execution anomalies that would reveal attempted or successful injection via the public exploit.