CVE-2025-14659CRITICAL 9.8EPSS p87.5%

CVE-2025-14659CVE-2025-14659

Description

A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS3.45% probability of exploitation · percentile 87.5% · 2026-06-18T12:00:27Z
Published2025-12-14
Last modified2026-03-08

Underlying weaknesses· 2

CWE-74CWE-77

References

  1. https://tzh00203.notion.site/D-Link-DIR-860LB1-v203b03-Command-Injection-in-DHCPd-2c6b5c52018a807eab1ae73dbd95eee3?source=copy_link
  2. https://tzh00203.notion.site/D-Link-DIR-868LB1-v203b01-Command-Injection-in-DHCPd-2c8b5c52018a805296c3dea51a7a4070?source=copy_link
  3. https://vuldb.com/?ctiid.336391
  4. https://vuldb.com/?id.336391
  5. https://vuldb.com/?submit.713701
  6. https://vuldb.com/?submit.714709
  7. https://www.dlink.com/

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69542
CVE
CVE-2025-4349
CVE
CVE-2025-15391
CVE
CVE-2026-4499
CVE
CVE-2026-3485
CVE
CVE-2025-2359
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.