Login Sign Up

CVE-2025-12296

4.7 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in D-Link DAP-2695 firmware update handler that allows remote attackers to execute arbitrary commands on affected devices. Only D-Link DAP-2695 devices running firmware version 2.00RC13 are affected. These products are no longer supported by the vendor.

💻 Affected Systems

Products:
  • D-Link DAP-2695
Versions: 2.00RC13
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with firmware update functionality enabled. Products are end-of-life with no vendor support.

📦 What is this software?

Dap 2695 Firmware by Dlink

View all CVEs affecting Dap 2695 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, or use device as botnet member.

🟠

Likely Case

Device takeover for credential harvesting, network reconnaissance, or launching attacks against other systems.

🟢

If Mitigated

Limited impact if device is isolated from sensitive networks and monitored for unusual activity.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub. Attack requires network access to device but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available as product is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Disable firmware update functionality

all

Disable automatic firmware updates and remote firmware update capabilities in device settings.

Network segmentation

all

Isolate affected devices in separate VLAN with strict firewall rules blocking unnecessary inbound traffic.

🧯 If You Can't Patch

  • Immediately remove affected devices from internet-facing positions
  • Implement strict network access controls allowing only necessary traffic to/from devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH. If version is 2.00RC13, device is vulnerable.

Check Version:

Check web interface at http://[device-ip]/ or via SSH: show version

Verify Fix Applied:

No fix available. Verify workarounds by testing network connectivity and confirming firmware updates are disabled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual firmware update attempts
  • Unexpected command execution in system logs
  • Failed authentication attempts to firmware update endpoint

Network Indicators:

  • Unusual outbound connections from device
  • Traffic to firmware update ports (typically 80/443) with suspicious payloads

SIEM Query:

source="dlink-dap-2695" AND (event="firmware_update" OR event="command_execution")

📊 Metadata

CVE ID: CVE-2025-12296
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77
EPSS Score: 0.22% exploit probability (44.7th percentile)
Published: October 27, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12296, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)