D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.
History

Thu, 26 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dph-400s
D-link dph-400s Firmware
D-link dph-400se
D-link dph-400se Firmware
CPEs cpe:2.3:h:d-link:dph-400s:-:*:*:*:*:*:*:*
cpe:2.3:h:d-link:dph-400se:-:*:*:*:*:*:*:*
cpe:2.3:o:d-link:dph-400s_firmware:1.0.1:*:*:*:*:*:*:*
cpe:2.3:o:d-link:dph-400se_firmware:1.0.1:*:*:*:*:*:*:*
Vendors & Products D-link
D-link dph-400s
D-link dph-400s Firmware
D-link dph-400se
D-link dph-400se Firmware

Wed, 18 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 18 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Description D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-06-18T00:00:00.000Z

Updated: 2025-06-18T14:25:38.614Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-45784

cve-icon Vulnrichment

Updated: 2025-06-18T14:24:55.971Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-18T14:15:44.553

Modified: 2025-06-26T15:54:43.523

Link: CVE-2025-45784

cve-icon Redhat

No data.