CVE-2025-11335 is a command injection vulnerability identified in the D-Link DI-7100G C1 router, affecting firmware versions up to 20250928. The flaw exists in the jhttpd web server component, specifically in the function sub_46409C handling requests to /msp_info.htm with the 'flag=qos' parameter. The vulnerability stems from insufficient input validation of the 'iface' argument, which an attacker can manipulate to inject arbitrary OS commands. This injection occurs remotely over the network without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:H). The CVSS score of 5.1 reflects a medium severity, considering the partial privileges required (high privileges) and limited impact on confidentiality, integrity, and availability. The exploit code has been publicly released, increasing the likelihood of exploitation despite no current reports of active attacks. The vulnerability could allow attackers to execute commands on the router, potentially leading to device compromise, network disruption, or pivoting to internal networks. The absence of vendor patches at the time of publication necessitates immediate defensive measures. The vulnerability affects a widely deployed router model used in enterprise and possibly critical infrastructure environments, making it a significant concern for network security teams.

For European organizations, exploitation of CVE-2025-11335 could lead to unauthorized command execution on network routers, compromising device integrity and potentially allowing attackers to intercept, modify, or disrupt network traffic. This could result in partial loss of confidentiality, integrity, and availability of network services. Given the router's role in managing network traffic, attackers could leverage this vulnerability to establish persistent footholds, conduct lateral movement, or launch further attacks against internal systems. Critical infrastructure sectors relying on these devices, such as telecommunications, government networks, and large enterprises, face increased risk of operational disruption and data breaches. The public availability of exploit code lowers the barrier for attackers, increasing the threat level. Although no active exploitation has been reported, the medium severity rating and ease of remote exploitation without user interaction make this a notable risk for European networks using the affected D-Link devices.

1. Immediately inventory and identify all D-Link DI-7100G C1 devices within the network to assess exposure. 2. Restrict network access to the router's management interfaces, especially the /msp_info.htm endpoint, by implementing firewall rules or network segmentation to limit access to trusted administrators only. 3. Monitor network traffic for unusual requests targeting the 'flag=qos' parameter or suspicious command injection patterns. 4. Apply vendor firmware updates or patches as soon as they become available; engage with D-Link support to obtain timelines or beta fixes if possible. 5. If patches are unavailable, consider temporarily disabling or restricting the vulnerable jhttpd service or the affected web interface functionality. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts against this vulnerability. 7. Conduct regular security audits and penetration testing focused on router and network device configurations to identify and remediate similar vulnerabilities. 8. Educate network administrators on the risks of command injection and the importance of secure device management practices.