Cyber Resilience

CVE-2025-9387

LowPublic PoC

Published: 24 August 2025

Published
24 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0125 79.7th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9387 is a low-severity Command Injection (CWE-77) vulnerability in Dcnetworks Dcme-720 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9387 is an OS command injection vulnerability affecting the DCN DCME-720 appliance at firmware version 9.1.5.11. It resides in an unspecified function of the file /usr/local/www/function/audit/newstatistics/ip_block.php within the Web Management Backend component and stems from insufficient sanitization of the ip argument, corresponding to CWE-77 and CWE-78.

An authenticated remote attacker with low-privileged access can supply a crafted ip value to the endpoint and execute arbitrary operating system commands. The attack is network-reachable with low complexity and no user interaction required, producing limited effects on confidentiality, integrity, and availability per the CVSS 2.1 rating.

Public proof-of-concept code has been published on GitHub, and the vendor was contacted prior to disclosure but did not respond. The associated EPSS score has remained flat at 0.0125 with no material rise after publication.

EU & UK References

Vulnerability details

A vulnerability was found in DCN DCME-720 9.1.5.11. This affects an unknown function of the file /usr/local/www/function/audit/newstatistics/ip_block.php of the component Web Management Backend. Performing manipulation of the argument ip results in os command injection. It is possible to initiate the…

more

attack remotely. The exploit has been made public and could be used. Other products might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is a remote OS command injection in the web management backend (/usr/local/www/function/audit/newstatistics/ip_block.php), enabling exploitation of a public-facing web application (T1190) and execution of Unix shell commands via tainted input (T1059.004).

CVEs Like This One

CVE-2026-2000Same vendor: Dcnetworks
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78
CVE-2026-2260Shared CWE-77, CWE-78
CVE-2026-9385Shared CWE-77, CWE-78
CVE-2026-4465Shared CWE-77, CWE-78
CVE-2026-7125Shared CWE-77, CWE-78

Affected Assets

dcnetworks
dcme-720 firmware
9.1.5.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'ip' argument before it reaches the OS command execution path in ip_block.php.

prevent

Limits the privileges available to the low-privilege account used for remote exploitation, reducing the scope of injectable OS commands.

detect

Enables monitoring of web-backend processes and command execution anomalies that would reveal attempted or successful injection via the public exploit.

References