CVE-2025-69542
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-02-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-895la1_firmware | 102b07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Command Injection issue in the DHCP daemon service of the D-Link DIR895LA1 router. It occurs because the DHCP hostname parameter is directly inserted into a system command without proper sanitization during lease renewal processing. This allows an attacker to send a malicious hostname when renewing a DHCP lease, causing arbitrary commands to be executed with root privileges on the device.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands with root privileges on the affected device. This could lead to full compromise of the router, including unauthorized access, control over network traffic, data interception, or disruption of network services.