CVE-2025-7407
published 2025-07-10CVE-2025-7407: A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
8.30%
94.2th percentile
A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | d6400 | — | — |
| netgear | d6400_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/diag.cgi
- →Exploit targets HTTP POST requests to /diag.cgi with a query string (|3f| = '?'), injecting OS command metacharacters into the host_name parameter body field.
- →Command injection payload is identified by the presence of shell metacharacters (semicolon ';', newline '\n', backtick '`', pipe '|', dollar sign '$') — encoded or unencoded — immediately following the host_name parameter value in the POST body.
- →The URI length for /diag.cgi (with query string delimiter) is exactly 13 bytes; use this as a fast-pattern anchor to reduce false positives.
- →Attack is inbound to the network (to_server, to HOME_NET), plaintext only — deploy detection at perimeter and internal network boundaries.
- →The manipulation of the argument host_name leads to OS command injection and can be initiated remotely; monitor CGI handler processes on Netgear D6400 for unexpected child process spawning. ↗
- ·This vulnerability only affects Netgear D6400 firmware version 1.0.0.114, which is end-of-life and no longer supported by the vendor; no patch will be issued. ↗
- ·The Snort/Suricata rule (ET sid:2067092) is scoped to plaintext HTTP only; HTTPS-wrapped traffic to the device management interface will not be detected by this rule.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m5q6-6prw-vpgq: A vulnerability, which was classified as critical, was found in Netgear D6400 1
ghsa_unreviewed·2025-07-10
CVE-2025-7407 [MEDIUM] CWE-77 GHSA-m5q6-6prw-vpgq: A vulnerability, which was classified as critical, was found in Netgear D6400 1
A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.
VulnCheck
NETGEAR d6400_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 5.3
CVE-2025-7407 [MEDIUM] NETGEAR d6400_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
NETGEAR d6400_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.
Affected: NETGEAR d6400_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if r
Suricata
ET WEB_SPECIFIC_APPS Netgear diag.cgi host_name Parameter Command Injection Attempt (CVE-2025-7407)
suricata·2026-01-26·CVSS 5.3
CVE-2025-7407 [MEDIUM] ET WEB_SPECIFIC_APPS Netgear diag.cgi host_name Parameter Command Injection Attempt (CVE-2025-7407)
ET WEB_SPECIFIC_APPS Netgear diag.cgi host_name Parameter Command Injection Attempt (CVE-2025-7407)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear diag.cgi host_name Parameter Command Injection Attempt (CVE-2025-7407)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/diag.cgi|3f|"; fast_pattern; http.request_body; content:"host_name|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md; reference:cve,2025-7407; classtype:attempted-admin; sid:2067092; rev:1; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7407, d
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.mdhttps://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md#pochttps://vuldb.com/?ctiid.315867https://vuldb.com/?id.315867https://vuldb.com/?submit.603668https://www.netgear.com/https://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.mdhttps://github.com/wudipjq/my_vuln/blob/main/Netgear7/vuln_66/66.md#poc
2025-07-10
Published
Exploited in the wild