CVE-2025-45784 – D-Link DPH-400S/SE VoIP phones contain hardcode... (How to Fix)

Q: What is the severity of CVE-2025-45784?

CVE-2025-45784 has a CVSS score of 9.8 (CRITICAL). D-Link DPH-400S/SE VoIP phones contain hardcoded provisioning credentials in their firmware, allowing attackers who obtain the firmware image to extract sensitive passwords. This could lead to unauthorized access to device functions or user accounts. All users of affected D-Link VoIP phones are vulnerable.

📋 TL;DR

D-Link DPH-400S/SE VoIP phones contain hardcoded provisioning credentials in their firmware, allowing attackers who obtain the firmware image to extract sensitive passwords. This could lead to unauthorized access to device functions or user accounts. All users of affected D-Link VoIP phones are vulnerable.

💻 Affected Systems

Products:

D-Link DPH-400S
D-Link DPH-400SE

Versions: v1.01

Operating Systems: Embedded VoIP firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Dph 400s Firmware by Dlink

View all CVEs affecting Dph 400s Firmware →

Dph 400se Firmware by Dlink

View all CVEs affecting Dph 400se Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over VoIP phones, intercept calls, modify configurations, or use devices as entry points into corporate networks.

🟠

Likely Case

Attackers extract credentials from publicly available firmware images and use them to compromise vulnerable devices on accessible networks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated VoIP network segments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires firmware access but uses basic static analysis tools like strings or hex editors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: No

Instructions:

No official patch available. Monitor vendor advisory for firmware updates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate VoIP phones on separate VLAN with strict firewall rules

Access Control Lists

all

Implement ACLs to restrict management access to authorized IPs only

🧯 If You Can't Patch

Replace affected devices with models from different vendors
Implement network monitoring for unusual VoIP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or console. If version is v1.01, device is vulnerable.

Check Version:

Check device web interface at http://[device-ip]/ or use console connection

Verify Fix Applied:

No fix available to verify. Monitor vendor for firmware updates.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful logins from unusual IPs
Configuration changes from unauthorized sources

Network Indicators:

Unusual management traffic to VoIP devices
Traffic from VoIP phones to unexpected destinations

SIEM Query:

source="voip-devices" AND (event_type="auth_failure" OR event_type="config_change")

📊 Metadata

CVE ID: CVE-2025-45784

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

EPSS Score: 0.36% exploit probability (57.8th percentile)

Published: June 18, 2025

Last Updated: July 22, 2025

🔗 References

https://cybermaya.in/posts/Post-37/ Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45784, you might also want to check these: