CVE-2025-11339 – A buffer overflow vulnerability in D-Link DI-71... (How to Fix)

Q: What is the severity of CVE-2025-11339?

CVE-2025-11339 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in D-Link DI-7100G C1 routers allows remote attackers to execute arbitrary code by manipulating the popupId parameter in the webchat component. This affects all versions up to September 28, 2025. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A buffer overflow vulnerability in D-Link DI-7100G C1 routers allows remote attackers to execute arbitrary code by manipulating the popupId parameter in the webchat component. This affects all versions up to September 28, 2025. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

D-Link DI-7100G C1

Versions: All versions up to 20250928

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable component jhttpd is part of the web management interface, typically exposed on LAN interfaces by default.

📦 What is this software?

Di 7100g C1 Firmware by Dlink

View all CVEs affecting Di 7100g C1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement into internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Denial of service or temporary disruption if exploit attempts are blocked by network controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available, making weaponization likely. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link website for firmware updates. 2. Download latest firmware for DI-7100G C1. 3. Upload via web interface. 4. Reboot device.

🔧 Temporary Workarounds

Block webchat access

linux

Restrict access to the vulnerable /webchat/hi_block.asp endpoint using firewall rules.

iptables -A INPUT -p tcp --dport 80 -m string --string "/webchat/hi_block.asp" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/webchat/hi_block.asp" --algo bm -j DROP

Disable web management

all

Turn off web-based management interface if not required.

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict firewall rules.
Implement network intrusion detection to monitor for exploit attempts.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface or via CLI. If version date is 20250928 or earlier, device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Verify firmware version is newer than 20250928 and test that /webchat/hi_block.asp endpoint no longer accepts malformed popupId parameters.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /webchat/hi_block.asp with unusually long popupId parameters
Jhttpd process crashes or abnormal restarts

Network Indicators:

HTTP POST requests to /webchat/hi_block.asp with buffer overflow patterns in payload

SIEM Query:

source="router_logs" AND url="/webchat/hi_block.asp" AND (payload_size>1000 OR contains(payload, "popupId="))

📊 Metadata

CVE ID: CVE-2025-11339

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.18% exploit probability (39.7th percentile)

Published: October 6, 2025

Last Updated: November 19, 2025

🔗 References

https://vuldb.com/?ctiid.327222 Permissions Required,VDB Entry
https://vuldb.com/?id.327222 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.664635 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product
https://www.yuque.com/jh0ng/vmpda6/zr11zfssl8h74bn3 Permissions Required
https://www.yuque.com/jh0ng/vmpda6/zr11zfssl8h74bn3#Wjajr Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11339, you might also want to check these: