CVE-2025-10440
📋 TL;DR
This CVE describes an OS command injection vulnerability in D-Link routers' jhttpd component via the usb_paswd.asp file. Attackers can execute arbitrary commands remotely by manipulating the 'hname' argument. Affected devices include D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003, and DI-8003G running specific firmware versions.
💻 Affected Systems
- D-Link DI-8100
- D-Link DI-8100G
- D-Link DI-8200
- D-Link DI-8200G
- D-Link DI-8003
- D-Link DI-8003G
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with root privileges, potentially leading to complete device takeover, data exfiltration, or use as a pivot point into internal networks.
Likely Case
Remote code execution allowing attackers to modify device configuration, install malware, or create persistent backdoors on vulnerable routers.
If Mitigated
Limited impact if devices are behind firewalls with restricted WAN access and proper network segmentation is implemented.
🎯 Exploit Status
Exploit details have been publicly disclosed on GitHub, making exploitation relatively straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: UNKNOWN
Vendor Advisory: UNKNOWN
Restart Required: No
Instructions:
Check D-Link's official security advisories for firmware updates. If available, download and apply the latest firmware from D-Link's support portal.
🔧 Temporary Workarounds
Disable USB password management
allIf USB password management functionality is not required, disable it to remove the vulnerable component.
Access router admin interface > USB Settings > Disable USB password management
Restrict network access
allImplement firewall rules to restrict access to the router's management interface from untrusted networks.
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in a separate VLAN with strict access controls
- Implement network monitoring and intrusion detection for suspicious traffic to/from these devices
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface: Admin > System > Firmware Information. Compare against affected versions.Check Version:
ssh admin@router_ip 'cat /etc/version' or check web interfaceVerify Fix Applied:
After applying any firmware update, verify the version no longer matches affected versions and test USB password functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to usb_paswd.asp with shell metacharacters in parameters
- Unexpected process execution from jhttpd
- Failed authentication attempts followed by command execution patterns
Network Indicators:
- HTTP requests containing shell commands in URL parameters
- Outbound connections from routers to suspicious IPs
- Unusual traffic patterns from router management interfaces
SIEM Query:
source="router_logs" AND (url="*usb_paswd.asp*" AND (param="*;*" OR param="*|*" OR param="*`*"))