Is there a public PoC exploit available for CVE-2025-12313?

Yes, a public proof-of-concept exploit is available for CVE-2025-12313. Prioritise patching immediately. EPSS: 0.1%.

D-Link DI-7001 MINI CVE-2025-12313

Q: What is the CVSS score of CVE-2025-12313?

CVE-2025-12313 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-27 cna@vuldb.com

Command Injection D-Link Di 7001Mini 8G Firmware

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:33 vuln.today

DescriptionCVE.org

A vulnerability has been found in D-Link DI-7001 MINI 19.09.19A1/24.04.18B1. The affected element is an unknown function of the file /msp_info.htm. Such manipulation of the argument cmd leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Command injection in D-Link DI-7001 MINI firmware versions 19.09.19A1 and 24.04.18B1 allows authenticated remote attackers to execute arbitrary commands via the cmd parameter in /msp_info.htm. The vulnerability has a public exploit available, though the extremely low CVSS score (2.1) and EPSS percentile (24th) indicate limited real-world exploitability despite network accessibility, as exploitation requires valid login credentials and results in low-impact information disclosure rather than system compromise.

Technical ContextAI

The vulnerability exists in the /msp_info.htm file of D-Link DI-7001 MINI networking devices, where user-supplied input in the cmd parameter is not properly sanitized before being passed to a command execution function. This is a classic command injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an Output Command) where shell metacharacters or command separators allow an authenticated user to break out of the intended command context and execute arbitrary system commands. The affected firmware versions are 19.09.19A1 and 24.04.18B1, both running on the DI-7001Mini-8G hardware platform. The vulnerability requires authentication (PR:L in CVSS vector), limiting exposure to users with valid device credentials.

RemediationAI

No vendor-released patch has been publicly identified at time of analysis. Contact D-Link support directly for firmware updates beyond version 24.04.18B1. As an immediate compensating control, restrict administrative access to the DI-7001 MINI device by limiting login credentials to trusted personnel only and disabling remote management of the /msp_info.htm endpoint if the underlying service permits. If the device firmware cannot be updated, disable the affected management interface entirely and access device administration only through secured local console access if operationally feasible. Implement network-level segmentation to restrict management traffic to this device to authorized subnets only, reducing the attack surface to authenticated users who can reach the network segment. Note that these controls do not eliminate the vulnerability but reduce the likelihood of credential compromise leading to command execution.

CVE-2025-12313 vulnerability details – vuln.today

Back