CVE-2025-4340

CWE-74 CWE-77 — Command Injection3 documents3 sources

Severity

5.3MEDIUM

EPSS

2.4%

top 14.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dlink Dir-806 Firmware Dlink Dir-890l Firmware D-link Dir-806a1 +1 more

Timeline

PublishedMay 6

Description

A vulnerability classified as critical has been found in D-Link DIR-890L and DIR-806A1 up to 100CNb11/108B03. Affected is the function sub_175C8 of the file /htdocs/soap.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDdlink/dir-890l_firmware1.08b03

▶CVEListV5d-link/dir-890l100CNb11, 108B03+1

▶CVEListV5d-link/dir-806a1100CNb11, 108B03+1

▶NVDdlink/dir-806_firmware100cnb11

🔴Vulnerability Details

GHSA

GHSA-rh69-7g6g-53pr: A vulnerability classified as critical has been found in D-Link DIR-890L and DIR-806A1 up to 100CNb11/108B03↗2025-05-06

▶

CVEList

D-Link DIR-890L/DIR-806A1 soap.cgi sub_175C8 command injection↗2025-05-06

▶