Is there a public PoC exploit available for CVE-2025-15391?

Yes, a public proof-of-concept exploit is available for CVE-2025-15391. Prioritise patching immediately. EPSS: 0.1%.

D-Link DIR-806A CVE-2025-15391

Q: What is the CVSS score of CVE-2025-15391?

CVE-2025-15391 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-31 cna@vuldb.com

Command Injection D-Link Dir 806A Firmware

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:45 vuln.today

DescriptionCVE.org

A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Command injection in the SSDP Request Handler (ssdpcgi_main function) of D-Link DIR-806A firmware 100CNb11 allows remote authenticated attackers to execute arbitrary commands with low integrity and availability impact. Publicly available exploit code exists, but the vulnerability affects only end-of-life firmware with minimal real-world exploitation probability (EPSS 0.11%) due to low privilege requirements and limited scope of impact.

Technical ContextAI

The vulnerability exists in the SSDP (Simple Service Discovery Protocol) request handler component of the D-Link DIR-806A wireless router firmware version 100CNb11. The flaw is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating insufficient input validation or sanitization of user-supplied data passed to the ssdpcgi_main function. SSDP is a network protocol used for device discovery on UPnP networks, typically accessible via UDP port 1900. The command injection occurs when user-controlled input is inadequately filtered before being passed to system command execution routines, allowing an attacker to inject shell metacharacters or commands.

RemediationAI

No vendor-released security patch is available for firmware version 100CNb11, as D-Link has discontinued support for DIR-806A 100CNb11. The primary remediation is device replacement or upgrade to a current D-Link router model receiving active firmware updates. Interim compensating controls include: (1) restrict network access to the SSDP port (UDP 1900) at the firewall boundary, blocking requests from untrusted network segments - this prevents remote exploitation but disables UPnP device discovery functionality; (2) disable UPnP/SSDP features entirely in router administration console if UPnP is not required for your network, eliminating the attack surface at the cost of losing automatic device discovery capabilities; (3) isolate the router on a separate management network with strict access controls and authentication, limiting potential exploiters to authenticated users with network access. Given the end-of-life status and minimal EPSS score, device replacement is the recommended path forward for critical deployments.

CVE-2025-15391 vulnerability details – vuln.today

Back