CVE-2018-25120

216.73.217.22

· Published 29/10/2025 19:15 · Modified 29/10/2025 19:15

Labels: CVE-2018-25120 2025-10-29 CVE-2018-25120 CWE-78 [email protected]

Essential information

Published: 29/10/2025 19:15
Modified: 29/10/2025 19:15
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
d-link / dns-343	`cpe:2.3:a:d-link:dns-343:1.05:::::::*`