EUVD-2025-28025
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.
Analysis
D-Link DPH-400S/SE VoIP phones running firmware v1.01 contain hardcoded provisioning credentials (PROVIS_USER_PASSWORD) embedded directly in the firmware binary, allowing attackers with firmware access to extract sensitive authentication material via static analysis tools. This critical vulnerability (CVSS 9.8) enables unauthorized access to device management functions and potentially user accounts, with network-accessible exploitation possible if combined with firmware extraction techniques.
Technical Context
The DPH-400S/SE is a legacy VoIP phone that uses provisioning mechanisms to configure device parameters and authentication credentials. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), where sensitive provisioning authentication variables are embedded unencrypted in the firmware binary rather than being derived, encrypted, or stored securely. Attackers can extract these credentials using simple string-matching tools (strings, xxd, binwalk) without requiring cryptographic key material or advanced reverse engineering. The provisioning user account typically grants administrative access to phone configuration, call logs, network settings, and potentially SIP credentials, making credential extraction a direct path to device compromise.
Affected Products
D-Link DPH-400S/SE VoIP Phone firmware version 1.01. CPE string: cpe:2.3:o:d-link:dph-400s_se_firmware:1.01:*:*:*:*:*:*:* (or separate CPEs for DPH-400S and DPH-400SE variants if versioned independently). Affected configurations include both factory default and provisioned deployments, as hardcoded credentials are present in all v1.01 builds. Legacy deployments may also be affected if firmware versions prior to 1.01 contain similar issues.
Remediation
Immediate actions: (1) Upgrade DPH-400S/SE devices to the latest available firmware version beyond 1.01 (D-Link should release a patched version removing hardcoded credentials and implementing secure credential storage); (2) If firmware updates are unavailable, isolate affected phones on dedicated VoIP VLANs with strict access controls and disable remote provisioning/management interfaces; (3) Change any extracted provisioning credentials immediately if compromise is suspected; (4) Audit firmware change logs and device access logs for unauthorized configuration changes. Long-term: (1) Implement firmware verification and secure boot mechanisms; (2) Migrate to supported VoIP phone models with current security maintenance; (3) Disable TFTP/HTTP firmware download mechanisms in favor of secure provisioning; (4) Monitor D-Link security advisories for DPH-400S/SE patches at https://support.dlink.com/. Contact D-Link support to confirm patch availability and timeline.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today