CVE-2025-11095
BaseFortify
Publication date: 2025-09-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
| dlink | dir-823x | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11095 is a command injection vulnerability in the D-Link DIR-823X router (version 250416). It occurs in the /goform/delete_offline_device endpoint where the 'delvalue' parameter is not properly sanitized. This allows an attacker to remotely inject and execute arbitrary commands on the device without needing local access, potentially compromising the device's confidentiality, integrity, and availability. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary commands on the affected router, leading to potential full compromise of the device. This can result in unauthorized access, disruption of network services, data theft, or manipulation, and overall loss of device availability and integrity. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring network traffic or device logs for requests to the vulnerable endpoint /goform/delete_offline_device with suspicious or unusual values in the delvalue parameter. Since the vulnerability involves command injection via the delvalue parameter, commands or scripts that send crafted HTTP requests to this endpoint with various delvalue payloads can be used to test for exploitation. For example, using curl to send requests: curl -X POST http://<device-ip>/goform/delete_offline_device -d 'delvalue=some_test_payload'. Detection tools can look for such requests or unexpected command execution behavior on the device. However, no specific detection commands or signatures are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been identified for this vulnerability. The recommended immediate step is to replace the affected D-Link DIR-823X device with an alternative product to avoid exploitation. Since the exploit is public and remote exploitation is possible, discontinuing use of the vulnerable device is advised until a vendor patch or fix is available. [1]