Skip to main content

Dph 400se Firmware CVE-2025-45784

| EUVD-2025-28025 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2025-06-18 cve@mitre.org
D-Link Information Disclosure Dph 400se Firmware Dph 400s Firmware
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-28025
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
PoC Detected
Jul 22, 2025 - 14:24 vuln.today
Public exploit code
CVE Published
Jun 18, 2025 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.

AnalysisAI

D-Link DPH-400S/SE VoIP phones running firmware v1.01 contain hardcoded provisioning credentials (PROVIS_USER_PASSWORD) embedded directly in the firmware binary, allowing attackers with firmware access to extract sensitive authentication material via static analysis tools. This critical vulnerability (CVSS 9.8) enables unauthorized access to device management functions and potentially user accounts, with network-accessible exploitation possible if combined with firmware extraction techniques.

Technical ContextAI

The DPH-400S/SE is a legacy VoIP phone that uses provisioning mechanisms to configure device parameters and authentication credentials. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), where sensitive provisioning authentication variables are embedded unencrypted in the firmware binary rather than being derived, encrypted, or stored securely. Attackers can extract these credentials using simple string-matching tools (strings, xxd, binwalk) without requiring cryptographic key material or advanced reverse engineering. The provisioning user account typically grants administrative access to phone configuration, call logs, network settings, and potentially SIP credentials, making credential extraction a direct path to device compromise.

RemediationAI

Immediate actions: (1) Upgrade DPH-400S/SE devices to the latest available firmware version beyond 1.01 (D-Link should release a patched version removing hardcoded credentials and implementing secure credential storage); (2) If firmware updates are unavailable, isolate affected phones on dedicated VoIP VLANs with strict access controls and disable remote provisioning/management interfaces; (3) Change any extracted provisioning credentials immediately if compromise is suspected; (4) Audit firmware change logs and device access logs for unauthorized configuration changes. Long-term: (1) Implement firmware verification and secure boot mechanisms; (2) Migrate to supported VoIP phone models with current security maintenance; (3) Disable TFTP/HTTP firmware download mechanisms in favor of secure provisioning; (4) Monitor D-Link security advisories for DPH-400S/SE patches at https://support.dlink.com/. Contact D-Link support to confirm patch availability and timeline.

Share

CVE-2025-45784 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy