D-Link DI-7100G C1 CVE-2025-11338 Buffer Overflow: Brief Technical Summary

This post provides a brief summary of CVE-2025-11338, a buffer overflow vulnerability in D-Link DI-7100G C1 routers up to firmware 20250928. It covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-06

D-Link DI-7100G C1 CVE-2025-11338 Buffer Overflow: Brief Technical Summary
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can gain code execution on business-class D-Link DI-7100G C1 routers by exploiting a buffer overflow in the jhttpd web interface. The vulnerability, CVE-2025-11338, is unpatched due to end-of-life status and has public exploit code available, making it a significant risk for organizations still running these devices.

About D-Link and the DI-7100G C1: D-Link is a major global networking vendor with a wide range of consumer and business products. The DI-7100G C1 is a gigabit router designed for small to medium-sized business environments, supporting advanced features like VPN, cloud integration, and multi-AP management. D-Link's product portfolio is extensive, but the company has faced recurring security issues in its firmware, especially in end-of-life products.

Technical Information

CVE-2025-11338 is a buffer overflow vulnerability in the jhttpd web service of D-Link DI-7100G C1 routers running firmware up to 20250928. The flaw is present in the function sub_4C0990 within the /webchat/login.cgi handler. When processing HTTP requests, the code does not properly check the length of the openid parameter before copying it into a fixed-size buffer. An attacker can send a crafted HTTP request with an excessively long openid value, causing a buffer overflow and leading to memory corruption.

  • Vulnerability location: /webchat/login.cgi (jhttpd component)
  • Vulnerable function: sub_4C0990
  • Attack vector: Remote HTTP request with long openid parameter
  • Impact: Memory corruption, potential remote code execution, denial of service
  • Authentication required: No
  • Exploit status: Public exploit code available

The root cause is a lack of bounds checking on user-supplied input before copying it into a stack-based buffer. This is a classic example of CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Affected Systems and Versions

  • Product: D-Link DI-7100G C1
  • Firmware versions: Up to and including 20250928
  • Component: jhttpd web service, /webchat/login.cgi
  • Vulnerable parameter: openid
  • All configurations using the affected firmware are vulnerable

Vendor Security History

D-Link has a documented history of buffer overflow and command injection vulnerabilities across multiple product lines, including:

  • CVE-2025-57636: OS command injection in DI-7100G C1 (sub_47F028, HTTP time parameter)
  • CVE-2025-57637: Buffer overflow in DI-7100G C1 (sub_451754, viav4 parameter)
  • Multiple stack-based buffer overflows in DIR-823 and other routers

D-Link's end-of-life policy means that products like the DI-7100G C1 do not receive security patches after support ends, leaving known vulnerabilities unaddressed.

References

Detect & fix
what others miss