Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-45784

D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.

Published

2025-06-18T14:15:44.553

Last Modified

2025-06-26T15:54:43.523

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-798

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	d-link	dph-400se_firmware	1.0.1	Yes
Hardware	d-link	dph-400se	-	No
Operating System	d-link	dph-400s_firmware	1.0.1	Yes
Hardware	d-link	dph-400s	-	No

References

https://cybermaya.in/posts/Post-37/ Third Party Advisory, Exploit ([email protected])
https://www.dlink.com/en/security-bulletin/ Vendor Advisory ([email protected])