CVE-2025-10440

Summary

A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
D-LinkDI-810016.07.26A1affected
D-LinkDI-810017.12.20A1affected
D-LinkDI-810019.12.10A1affected
D-LinkDI-8100G16.07.26A1affected
D-LinkDI-8100G17.12.20A1affected
D-LinkDI-8100G19.12.10A1affected
D-LinkDI-820016.07.26A1affected
D-LinkDI-820017.12.20A1affected
D-LinkDI-820019.12.10A1affected
D-LinkDI-8200G16.07.26A1affected
D-LinkDI-8200G17.12.20A1affected
D-LinkDI-8200G19.12.10A1affected
D-LinkDI-800316.07.26A1affected
D-LinkDI-800317.12.20A1affected
D-LinkDI-800319.12.10A1affected
D-LinkDI-8003G16.07.26A1affected
D-LinkDI-8003G17.12.20A1affected
D-LinkDI-8003G19.12.10A1affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References