关键信息 漏洞名称: D-Link DNS-343 ShareCenter <= 1.05 Command Injection via /goform/Mail_Test 严重性: CRITICAL 日期: October 29, 2025 影响范围: - DNS-343 firmware <= 1.05 - The DNS-343 product line has been declared end-of-life. CVE编号: CVE-2018-25120 CWE编号: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVSS评分: 9.3 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 参考资料: - Researcher Disclosure - ExploitDB-43845 - SeeBug-97088 - DNS-343 EOL Product Page 发现者: James Bercegay of GulfTech Research and Development 描述: - D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. Note: The DNS-343 product line has been declared end-of-life.