CVE-2025-15357 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-15357?

CVE-2025-15357 has a CVSS score of 6.3 (MEDIUM). This CVE describes a command injection vulnerability in D-Link DI-7400G+ routers that allows remote attackers to execute arbitrary commands on affected devices. Attackers can exploit this by manipulating the 'cmd' parameter in the /msp_info.htm endpoint. Organizations using these routers with internet-facing management interfaces are at risk.

📋 TL;DR

This CVE describes a command injection vulnerability in D-Link DI-7400G+ routers that allows remote attackers to execute arbitrary commands on affected devices. Attackers can exploit this by manipulating the 'cmd' parameter in the /msp_info.htm endpoint. Organizations using these routers with internet-facing management interfaces are at risk.

💻 Affected Systems

Products:

D-Link DI-7400G+

Versions: 19.12.25A1

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with web management interface enabled. Older versions may also be vulnerable but unconfirmed.

📦 What is this software?

Di 7400g\+ Firmware by Dlink

View all CVEs affecting Di 7400g\+ Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to install persistent backdoors, pivot to internal networks, intercept traffic, or brick the device.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, credential theft, or use as botnet node.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted management interface access and proper network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation possible, public PoC available, and routers often have internet-facing interfaces.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP requests to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link website for firmware updates. 2. Download latest firmware. 3. Upload via web interface. 4. Reboot router.

🔧 Temporary Workarounds

Disable web management interface

all

Prevent access to vulnerable endpoint by disabling web management

Router-specific configuration via CLI or web interface

Restrict management interface access

all

Limit access to management interface to trusted IPs only

Configure firewall rules to restrict access to router management IP/ports

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check if router responds to crafted requests at http://[router_ip]/msp_info.htm?flag=cmd with command injection payloads

Check Version:

Check web interface or use 'show version' via CLI if available

Verify Fix Applied:

Test if command injection payloads no longer execute after firmware update

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to /msp_info.htm with cmd parameter
Suspicious command execution in router logs

Network Indicators:

HTTP requests containing shell metacharacters or command injection patterns
Unexpected outbound connections from router

SIEM Query:

http.url:*msp_info.htm* AND http.uri_query:*cmd=* AND (http.uri_query:*;* OR http.uri_query:*|* OR http.uri_query:*`*)

📊 Metadata

CVE ID: CVE-2025-15357

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.13% exploit probability (32th percentile)

Published: December 30, 2025

Last Updated: January 9, 2026

🔗 References

https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338743 Permissions Required,VDB Entry
https://vuldb.com/?id.338743 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.726376 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15357, you might also want to check these: