PT-2025-40892 · D Link · Di-7100G C1
Sheratan
·
Published
2025-10-06
·
Updated
2025-11-20
·
CVE-2025-11335
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
D-Link DI-7100G C1 versions up to 20250928
Description
A flaw exists in D-Link DI-7100G C1 that allows for remote command injection. This is due to the manipulation of the
iface argument within the sub 46409C function of the /msp info.htm?flag=qos file, part of the jhttpd component. The exploit for this issue has been publicly released.Recommendations
Versions prior to 20250928 should be updated. As a temporary workaround, restrict access to the
/msp info.htm?flag=qos file. Avoid using the iface parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Di-7100G C1