CVE-2025-10440 is a security vulnerability identified in several D-Link router models, specifically the DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003, and DI-8003G running firmware versions 16.07.26A1, 17.12.20A1, and 19.12.10A1. The vulnerability resides in the function sub_4621DC within the usb_paswd.asp file, part of the jhttpd component, which is the embedded HTTP server used by these devices. The flaw is an OS command injection triggered by manipulation of the 'hname' argument. This means that an attacker can craft a specially formed request to the device's web interface that injects arbitrary operating system commands, which the device then executes with the privileges of the web server process. The vulnerability is remotely exploitable without requiring user interaction or authentication, making it particularly dangerous. Although the CVSS 4.0 base score is 5.3 (medium severity), the exploitability is relatively straightforward due to low attack complexity and no need for privileges or user interaction. The impact on confidentiality, integrity, and availability is limited but present, as the attacker can execute arbitrary commands that may lead to information disclosure, device manipulation, or denial of service. No public exploits have been observed in the wild yet, but the vulnerability details have been disclosed, increasing the risk of exploitation. No official patches or mitigation links are currently provided by the vendor, which increases the urgency for affected organizations to take protective measures.

For European organizations, this vulnerability poses a moderate risk, especially for those relying on the affected D-Link router models in their network infrastructure. Successful exploitation could allow attackers to execute arbitrary commands on the routers, potentially leading to unauthorized access to internal networks, interception or manipulation of network traffic, or disruption of network services. This could impact confidentiality by exposing sensitive data traversing the network, integrity by altering configurations or data, and availability by causing device crashes or network outages. Organizations in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government, may face heightened risks. Additionally, the remote and unauthenticated nature of the exploit increases the likelihood of automated attacks targeting exposed devices. Given the widespread use of D-Link networking equipment in small and medium enterprises across Europe, the vulnerability could be leveraged in targeted or opportunistic attacks, especially if attackers combine it with other vulnerabilities or social engineering tactics.

1. Immediate network segmentation: Isolate affected D-Link devices from critical network segments to limit potential lateral movement if compromised. 2. Disable remote management interfaces on affected routers unless absolutely necessary, reducing the attack surface. 3. Implement strict firewall rules to restrict access to router management ports (typically HTTP/HTTPS) to trusted internal IP addresses only. 4. Monitor network traffic for unusual or suspicious HTTP requests targeting the usb_paswd.asp endpoint or containing suspicious 'hname' parameters. 5. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect attempts to exploit this command injection. 6. Regularly audit and update router firmware; even though no official patch is currently available, monitor D-Link advisories for forthcoming updates. 7. As a longer-term measure, consider replacing affected devices with models from vendors with stronger security track records and active patch support. 8. Educate IT staff about this vulnerability and ensure incident response plans include steps for potential exploitation scenarios involving network infrastructure devices.