CVE-2025-11335: D-Link DI-7100G C1 Firmware RCE Flaw

CVE-2025-11335 Overview

CVE-2025-11335 is a command injection vulnerability [CWE-74] affecting D-Link DI-7100G C1 routers running firmware up to version 20250928. The flaw resides in the sub_46409C function within the jhttpd component, reachable through the /msp_info.htm?flag=qos endpoint. An authenticated remote attacker can inject operating system commands by manipulating the iface argument. The exploit details have been publicly disclosed, increasing the risk of opportunistic abuse against exposed devices.

Critical Impact
A remote attacker with valid credentials can execute arbitrary commands on the underlying operating system of the D-Link DI-7100G C1, leading to full device compromise.

Affected Products

D-Link DI-7100G C1 (hardware)
D-Link DI-7100G C1 firmware versions up to 2025-09-28
jhttpd web service component on affected firmware

Discovery Timeline

2025-10-06 - CVE-2025-11335 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-11335

Vulnerability Analysis

The vulnerability exists in the sub_46409C function of the jhttpd web server, which handles requests to /msp_info.htm?flag=qos. The function processes the iface parameter without sanitizing shell metacharacters before passing it to a system command execution call. As a result, an attacker who reaches the QoS information endpoint can append shell commands to the iface value and have them executed in the context of the web server process. Because jhttpd typically runs with elevated privileges on embedded D-Link devices, successful injection yields control over the device's command shell.

Root Cause

The root cause is improper neutralization of special elements used in a command [CWE-74]. User-controlled input from the iface HTTP parameter is concatenated directly into a command string and passed to a shell, with no allow-listing, escaping, or argument-array execution. Common metacharacters such as ;, |, &&, and backticks are not filtered.

Attack Vector

The attack is network-based and requires high privileges, meaning the attacker must possess valid administrative credentials to reach the affected endpoint. Once authenticated, the attacker issues a crafted HTTP request to /msp_info.htm?flag=qos with a malicious iface argument containing shell metacharacters and the desired command payload. The injected command executes with the privileges of jhttpd, enabling configuration changes, credential theft, persistence, or pivoting into adjacent network segments.

No verified proof-of-concept code is reproduced here. Public technical references describing the request structure are listed in the VulDB entry #327218 and the Yuque writeup.

Detection Methods for CVE-2025-11335

Indicators of Compromise

HTTP requests to /msp_info.htm?flag=qos containing shell metacharacters such as ;, |, &, $(, or backticks in the iface parameter.
Unexpected child processes spawned by the jhttpd process on the router.
Outbound connections from the router to attacker-controlled hosts shortly after administrative HTTP sessions.

Detection Strategies

Inspect web access logs on the device or any upstream reverse proxy for requests targeting /msp_info.htm with non-standard characters in iface.
Deploy network intrusion detection signatures that flag command-injection patterns in HTTP query strings to the router management interface.
Correlate administrative logins with subsequent anomalous DNS or outbound traffic from the router.

Monitoring Recommendations

Restrict and log all access to the router management plane, alerting on authentication from unexpected source addresses.
Forward router syslog data to a centralized analytics platform to retain evidence beyond local log rotation.
Monitor for firmware integrity changes and unexpected configuration modifications across the DI-7100G C1 fleet.

How to Mitigate CVE-2025-11335

Immediate Actions Required

Remove the DI-7100G C1 management interface from any untrusted or internet-facing network and restrict it to a dedicated management VLAN.
Rotate administrative credentials and disable any shared or default accounts that could be used to reach the vulnerable endpoint.
Audit recent administrative HTTP requests to /msp_info.htm for signs of exploitation attempts.

Patch Information

At the time of publication, no vendor patch has been listed in the available references. Consult the D-Link official website for firmware updates beyond version 20250928 and apply security updates as soon as they are released.

Workarounds

Block external access to the router's HTTP management interface using upstream firewall rules.
Limit administrative access to a small set of trusted source IP addresses through ACLs on the device.
Disable remote management features that are not strictly required for operations.
If feasible, replace end-of-support or unpatched devices with currently supported models.

bash

# Example upstream ACL restricting router management access
# Replace 198.51.100.10 with your trusted admin host
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s 198.51.100.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s 198.51.100.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP