D-Link DI-7100G C1 CVE-2025-11335

Q: What is the CVSS score of CVE-2025-11335?

CVE-2025-11335 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-06 cna@vuldb.com

Command Injection D-Link Di 7100g C1 Firmware

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:01 vuln.today

DescriptionCVE.org

A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

AnalysisAI

Command injection in D-Link DI-7100G C1 firmware up to version 20250928 allows remote authenticated attackers to execute arbitrary commands via the iface parameter in the /msp_info.htm?flag=qos endpoint of the jhttpd component. The vulnerability requires high-level administrative privileges and publicly available exploit code exists, but EPSS score of 0.06% indicates exploitation is unlikely in real-world scenarios due to the privilege requirement.

Technical ContextAI

The vulnerability exists in the jhttpd web server component of D-Link DI-7100G C1 devices, specifically in the function sub_46409C that processes the /msp_info.htm?flag=qos endpoint. The flaw stems from improper input validation on the iface parameter (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly known as Injection). The parameter is passed to a command execution function without sanitization, allowing an attacker with administrative credentials to inject shell metacharacters and execute arbitrary system commands on the device with the privileges of the jhttpd process.

RemediationAI

Upgrade D-Link DI-7100G C1 firmware to a version newer than 2025-09-28 (expected patch availability should be verified at https://www.dlink.com/ via product support or firmware downloads). Pending patch deployment, implement network-level controls: restrict access to the web management interface (/msp_info.htm) to trusted IP ranges using firewall rules or device-level access control lists (ACLs). Change default and weak administrative credentials immediately - this addresses the privilege prerequisite and significantly reduces risk. Disable remote management of the jhttpd web interface if local management is sufficient for your deployment. Monitor admin account activity and authentication logs for unauthorized access attempts. These controls mitigate exploitation risk while awaiting vendor patching.

CVE-2025-11335 vulnerability details – vuln.today

Back