CVE-2018-25120

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.3CRITICAL

EPSS

1.2%

top 20.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Dns-343 Sharecenter Dlink Dns-343 Firmware

Timeline

PublishedOct 29

Description

D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE:…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDdlink/dns-343_firmware1.0.5

▶CVEListV5d-link/dns-343_sharecenter1.05

🔴Vulnerability Details

GHSA

GHSA-3r6w-f62x-hc2h: D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1↗2025-10-29

▶

CVEList

D-Link DNS-343 ShareCenter <= 1.05 Command Injection via /goform/Mail_Test↗2025-10-29

▶

VulnCheck

D-Link dns-343_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')↗2018

▶