CVE-2025-34125

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions D-Link DSP-W110A1 version 1.05B01

Description An unauthenticated command injection vulnerability exists in the cookie handling process of the lighttpd web server. This occurs when specially crafted cookie values are processed, allowing remote attackers to execute arbitrary commands on the underlying Linux operating system. Successful exploitation enables full system compromise.

Recommendations Update the firmware to a newer, fixed version. As a temporary workaround, consider restricting access to the cookie handling process until a patch is available.

Exploit

Fix

Special Elements Injection

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-78CWE-77

Related Identifiers

BDU:2025-14650

CVE-2025-34125

Affected Products

D-Link Dsp-W110A1

Linux

Lighttpd

CVE-2025-34125

Weakness Enumeration

Related Identifiers

Affected Products

References · 10