#VU112892 OS Command Injection in D-Link products - CVE-2025-7553

Vulnerability identifier: #VU112892

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-7553

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
DAP-1522
Dir-300
DIR-600
DIR-601
DIR-629
DIR-645
DIR-815
DIR-816L
DIR-817L
DIR-817Lx
DIR-818Lx
DIR-820Lx
DIR-825
DIR-850L
DIR-860L
Dir-865L
DIR-868L
DIR-880L
DIR-885L/R
DIR-890L/R
DIR-895L/R

Software vendor:
D-Link

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the System Time Page component. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

• https://vuldb.com/?ctiid.316251
• https://vuldb.com/?id.316251
• https://vuldb.com/?submit.614928
• https://www.dlink.com/
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10302