External risk intelligence

DI-7400G+ Router Command Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-57105

The vulnerable product is a router, a device typically deployed at the network edge. The vulnerability exists within the web-based management interface, which is designed to be accessible for device configuration and is frequently exposed to the internet in common deployment scenarios.

Command Injection

Dlink Di 7400g\+ Firmware

19.12.25a1

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability found in D-Link DI-7400G+ routers, specifically within their web management interface. The issue allows for command injection, meaning an attacker could potentially run unauthorized commands on the affected devices, posing a significant risk to network security.

  • Attackers can run any command on vulnerable routers.
  • Routers are critical network entry points.
  • Assess impact on network infrastructure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the router's web interface. This request would target specific functions within the `jhttpd` program, likely by manipulating the `ac_mng_srv_host` parameter. Successful exploitation would allow the attacker to execute arbitrary commands on the device, potentially leading to complete control.

  • No authentication required.
  • Triggered via web interface parameter.
  • Risk of arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands on the affected router when specific parameters are sent to the `jhttpd` program. This could potentially impact the router's service behavior and expose system data.

  • System data and service behavior.
  • Through network requests to the router.
  • Unauthenticated command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Device and network infrastructure teams are likely responsible for addressing this command injection vulnerability in the DI-7400G+ router. The initial focus should be on identifying all instances of this device within the environment, assessing their exposure to external networks, and confirming their business criticality. Once accountable owners are identified, a prioritized remediation plan can be developed, potentially involving vendor coordination or temporary risk mitigation strategies.

  • Infrastructure and Network Teams own remediation.
  • Verify internet-facing and critical deployments first.
  • Plan maintenance for coordinated patching or configuration changes.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the D-Link DI-7400G+ router?

The D-Link DI-7400G+ is a networking device typically used to manage internet traffic and connect internal devices to the broader network. As a router, it serves as a gateway that inspects and directs data flow, making it a central component of network infrastructure. This specific model includes a web-based management interface that allows administrators to configure system settings, update security rules, and monitor device performance.

How does CVE-2025-57105 work as a command injection?

This vulnerability, classified as CWE-77 (Improper Neutralization of Special Elements used in an OS Command), occurs when software passes unsafe user-supplied data to a system shell. In this case, the router fails to properly filter the 'ac_mng_srv_host' parameter sent to its web server component. Consequently, an attacker can input system commands instead of expected configuration data, tricking the device into executing those commands with the privileges of the router's operating system.

Do I need authentication to trigger this vulnerability?

No. The vulnerability in the jhttpd program can be triggered by sending a specially crafted request directly to the router's web interface without any requirement to log in. It is not triggered by legitimate administrative activity, but rather by malicious manipulation of the specific parameter mentioned in the advisory. If the router's web interface is unreachable or isolated from the network, the path to trigger this flaw is significantly restricted.

Why is this router a high priority for security teams?

Halo Surface Signal notes that this product is a router typically deployed at the network edge, acting as a bridge between internal networks and the internet. Because the vulnerability exists in a web interface that is frequently exposed to the internet to facilitate remote management, the barrier for an attacker is very low. This makes it a critical point of concern for any organization that has these devices deployed in internet-facing configurations.

What steps should I take if I use this hardware?

Begin by auditing your network environment to identify all instances of the DI-7400G+ in use. Prioritize checking devices that are directly connected to the internet, as these represent the most immediate risk. Work with your IT or network infrastructure teams to verify if these units are accessible externally and consider moving their management interfaces to a private, non-routable network segment until a formal vendor update or mitigation strategy is applied.

References