Post

Security Advisory: Hardcoded Password Logging in D-Link DPH-400S/SE Firmware (CVE-2025-45784)

Posted Updated
By Shaunak Ganorkar
2 min read

Author: Shaunak Ganorkar, Traboda Cyberlabs Pvt. Ltd.
Published: June 2025
CVE ID: CVE-2025-45784
Impact: Information Disclosure
Severity: Medium (Context-Dependent)

Summary

A vulnerability was discovered in the firmware of the D-Link DPH-400S and DPH-400SE VoIP phones, allowing sensitive provisioning credentials to be exposed through hardcoded debug logging strings.

This issue affects firmware version v1.01. An attacker with access to the firmware image or device logs can extract user credentials without authentication. The vulnerability was responsibly disclosed to D-Link and has been assigned CVE-2025-45784.

While the affected models are End-of-Life (EOL), they may still exist in legacy environments and pose an ongoing risk.

Vulnerability Details

During static firmware analysis of the image DPH-400S_DPH-400SE_A1_FW_v1.01.bin, the following hardcoded strings were identified:

PROVIS_USER_PASSWORD = %s

PROVIS_ADMIN_PASSWORD = %s

These were found in the following binaries:

  • firmware/bin/tcAppPhoneProvisioning
  • firmware/bin/tcAppPhoneLogin
  • firmware/bin/tcGlobalTelnetCheckPassword

The string PROVIS_USER_PASSWORD was located at offset 0x00441650.

A simple strings command confirms their presence:

1
2
3

$ strings DPH-400S_DPH-400SE_A1_FW_v1.01.bin | grep PROVIS
PROVIS_USER_PASSWORD = %s
PROVIS_ADMIN_PASSWORD = %s

No encryption or access control protects these values, allowing easy extraction via static analysis tools such as strings, xxd, or binwalk.

Impact

An attacker with access to the firmware image or extracted logs can:

  • Recover valid provisioning or administrative credentials
  • Gain unauthorized access to VoIP systems or services
  • Potentially intercept or manipulate SIP-based communication sessions

This aligns with CWE-532: Insertion of Sensitive Information into Log File.

Attack Vector

  • Static firmware analysis (no need for live exploitation)
  • Access to firmware image, console output, or logs
  • No authentication required

Disclosure Timeline

DateEvent
April 4, 2025Vulnerability reported to D-Link via email
April–MayFollow-ups with D-Link SIRT and regional escalation
May 14, 2025D-Link confirms EOL status; no fix planned
May 31, 2025CVE-2025-45784 reserved and published by MITRE
June 2025Public advisory published

D-Link officially confirmed that the product reached End-of-Life on February 2, 2010, and will not be updated.

Recommendations

  • Retire or replace DPH-400S/SE devices still in use

  • Restrict access to firmware files, configuration backups, or provisioning logs

  • Isolate legacy VoIP equipment from internet-facing networks

  • Avoid reusing provisioning credentials across systems

Discoverer

Shaunak Ganorkar

  • https://www.cybermaya.in
  • https://www.linkedin.com/in/shaunakganorkar

References

  • CVE-2025-45784 Record on cve.org

Disclaimer

This research was conducted purely for educational and responsible disclosure purposes. No unauthorized access or exploitation was performed on any active systems.

Research
Firmware Analysis Research
This post is licensed under CC BY-NC-ND 4.0 license by the author.