D-Link DNS-343 ShareCenter <= 1.05 Command Injection via /goform/Mail_Test

Advisories

severity: critical
date: October 29, 2025
Affecting: DNS-343 firmware <= 1.05
The DNS-343 product line has been declared end-of-life.
CVE: CVE-2018-25120
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Researcher Disclosure
ExploitDB-43845
SeeBug-97088
DNS-343 EOL Product Page
Credit: James Bercegay of GulfTech Research and Development
Description: D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.