CVE-2025-11095 is a command injection vulnerability identified in the D-Link DIR-823X router firmware version 250416. The vulnerability resides in the handling of the 'delvalue' parameter within the /goform/delete_offline_device endpoint. By manipulating this parameter, an attacker can inject arbitrary OS commands that the device executes, resulting in remote code execution. The flaw does not require authentication or user interaction, making it accessible to remote attackers over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the impact on CIA is low, the ability to execute arbitrary commands remotely can lead to device compromise, pivoting within internal networks, and potential data exfiltration or disruption. No official patches or updates have been linked yet, and while no exploits are known to be active in the wild, a public proof-of-concept exploit exists, increasing the risk of exploitation. The vulnerability affects a specific firmware version, so organizations should verify their device versions and firmware status. Given the widespread use of D-Link routers in both consumer and small business environments, this vulnerability poses a tangible risk to network security.

For European organizations, exploitation of CVE-2025-11095 could lead to unauthorized control over affected routers, enabling attackers to intercept, modify, or redirect network traffic. This could compromise the confidentiality and integrity of sensitive communications and data. Additionally, attackers could use the compromised device as a foothold to launch further attacks within the internal network, potentially targeting critical infrastructure or business systems. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks, especially in environments where these routers are deployed with default or weak configurations. Disruption of network availability is also possible if attackers execute commands that degrade device performance or cause crashes. The medium severity rating reflects the balance between ease of exploitation and limited direct impact on confidentiality, integrity, and availability, but the broader network security implications remain significant. European organizations relying on D-Link DIR-823X routers, particularly in sectors such as telecommunications, healthcare, and government, may face elevated risks.

1. Immediately identify all D-Link DIR-823X routers running firmware version 250416 within the network. 2. Restrict access to router management interfaces by implementing network segmentation and firewall rules that limit access to trusted administrators only. 3. Disable remote management features if not required, especially WAN-side access to router configuration pages. 4. Monitor network traffic for unusual commands or patterns indicative of exploitation attempts targeting the /goform/delete_offline_device endpoint. 5. Apply firmware updates or patches from D-Link as soon as they become available; in the absence of official patches, consider temporary device replacement or isolation. 6. Enforce strong authentication mechanisms and change default credentials on all affected devices. 7. Conduct regular vulnerability scans and penetration tests focusing on network edge devices to detect similar injection vulnerabilities. 8. Educate IT staff about this vulnerability and the importance of promptly addressing router firmware updates and configurations.