Introduction
Remote attackers can gain code execution on business-class D-Link DI-7100G C1 routers by exploiting a buffer overflow in the jhttpd web interface. The vulnerability, CVE-2025-11338, is unpatched due to end-of-life status and has public exploit code available, making it a significant risk for organizations still running these devices.
About D-Link and the DI-7100G C1: D-Link is a major global networking vendor with a wide range of consumer and business products. The DI-7100G C1 is a gigabit router designed for small to medium-sized business environments, supporting advanced features like VPN, cloud integration, and multi-AP management. D-Link's product portfolio is extensive, but the company has faced recurring security issues in its firmware, especially in end-of-life products.
Technical Information
CVE-2025-11338 is a buffer overflow vulnerability in the jhttpd web service of D-Link DI-7100G C1 routers running firmware up to 20250928. The flaw is present in the function sub_4C0990
within the /webchat/login.cgi
handler. When processing HTTP requests, the code does not properly check the length of the openid
parameter before copying it into a fixed-size buffer. An attacker can send a crafted HTTP request with an excessively long openid
value, causing a buffer overflow and leading to memory corruption.
- Vulnerability location:
/webchat/login.cgi
(jhttpd component) - Vulnerable function:
sub_4C0990
- Attack vector: Remote HTTP request with long
openid
parameter - Impact: Memory corruption, potential remote code execution, denial of service
- Authentication required: No
- Exploit status: Public exploit code available
The root cause is a lack of bounds checking on user-supplied input before copying it into a stack-based buffer. This is a classic example of CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
Affected Systems and Versions
- Product: D-Link DI-7100G C1
- Firmware versions: Up to and including 20250928
- Component: jhttpd web service,
/webchat/login.cgi
- Vulnerable parameter:
openid
- All configurations using the affected firmware are vulnerable
Vendor Security History
D-Link has a documented history of buffer overflow and command injection vulnerabilities across multiple product lines, including:
- CVE-2025-57636: OS command injection in DI-7100G C1 (sub_47F028, HTTP time parameter)
- CVE-2025-57637: Buffer overflow in DI-7100G C1 (sub_451754, viav4 parameter)
- Multiple stack-based buffer overflows in DIR-823 and other routers
D-Link's end-of-life policy means that products like the DI-7100G C1 do not receive security patches after support ends, leaving known vulnerabilities unaddressed.