CVE-2025-11335 in DI-7100G C1
Summary
by MITRE • 10/06/2025
A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/20/2025
The vulnerability CVE-2025-11335 represents a critical command injection flaw within the D-Link DI-7100G C1 router firmware version 20250928 and earlier. This weakness resides in the jhttpd web server component, specifically within the sub_46409C function located in the /msp_info.htm?flag=qos file path. The vulnerability arises from improper input validation and sanitization of the iface parameter, which is passed as an argument to the vulnerable function. When an attacker manipulates this parameter, the system fails to properly escape or validate the input before incorporating it into system commands, creating a pathway for arbitrary code execution.
The technical exploitation of this vulnerability occurs through a remote attack vector, meaning that an unauthenticated attacker can leverage this flaw from outside the network perimeter. The command injection vulnerability allows attackers to execute arbitrary shell commands on the affected device with the privileges of the jhttpd process, which typically runs with elevated permissions. This presents a severe risk as the attacker can potentially gain full control over the router's functionality, access internal network resources, modify network configurations, or establish persistent backdoors. The public availability of exploit code significantly amplifies the threat level, as it removes the technical barrier for potential attackers to exploit this weakness.
From a cybersecurity perspective, this vulnerability aligns with CWE-77 and CWE-94 categories, representing command injection and improper validation of input, respectively. The ATT&CK framework categorizes this as a command and control activity under T1059.001, where adversaries use command injection to execute malicious code remotely. The impact extends beyond simple unauthorized access, as compromised routers can serve as pivot points for broader network infiltration, allowing attackers to conduct reconnaissance, establish lateral movement, or launch further attacks against connected devices. Network segmentation becomes ineffective when routers are compromised, as they often serve as gateways between different network zones, making this vulnerability particularly dangerous in enterprise environments.
The mitigation strategy for CVE-2025-11335 requires immediate firmware updates from D-Link to address the input validation issues in the jhttpd component. Organizations should also implement network segmentation measures, restrict access to router management interfaces, and deploy intrusion detection systems to monitor for suspicious traffic patterns. Additionally, network administrators should consider disabling unnecessary web services and implementing firewall rules that limit access to the router's management ports from trusted IP addresses only. Regular vulnerability assessments and network monitoring should be conducted to identify any potential exploitation attempts and ensure that all network devices remain protected against similar command injection vulnerabilities.