CVE-2025-12296

A security vulnerability has been detected in D-Link DAP-2695 2.00RC13. The impacted element is the function sub_4174B0 of the component Firmware Update Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Published: Oct 27, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-12296
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.7
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:L/Au:M/C:P/I:P/A:P

CWEs:

CWE-78
CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
dlink / dap-2695_firmware	2.00-rc131	2.00-rc131.x

https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Dlink/DAP-2695_Injection.md
https://vuldb.com/?ctiid.329964
https://vuldb.com/?id.329964
https://vuldb.com/?submit.675855
https://www.dlink.com/

Vulnerability Database

CVE-2025-12296

Deep Security Visibility Without the Complexity