Details of VAR-201507-0710

ID

VAR-201507-0710

CVE

CVE-2025-34125

TITLE

D-Link Cookie Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2015-04792

DESCRIPTION

An unauthenticated command injection vulnerability exists in the cookie handling process of the lighttpd web server on D-Link DSP-W110A1 firmware version 1.05B01. This occurs when specially crafted cookie values are processed, allowing remote attackers to execute arbitrary commands on the underlying Linux operating system. Successful exploitation enables full system compromise. The D-Link DSP-W110A1_FW105B01 is a socket that controls the power switch wirelessly. D-Link has a remote upload and code execution vulnerability. The D-Link DSP-W110A1 is a Wi-Fi smart router. The D-Link DSP-W110A1 suffers from a command injection vulnerability due to improper input parameter filtering

Trust: 1.98

sources: NVD: CVE-2025-34125 // CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384

IOT TAXONOMY

category:	['IoT', 'Network device']	sub_category:	-	Trust: 0.6
category:	['Network device']	sub_category:	-	Trust: 0.6

sources: CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384

AFFECTED PRODUCTS

vendor:	d link	model:	dsp-w110a1 fw105b01	scope:	-	version:	-	Trust: 0.6
vendor:	d link	model:	dsp-w110a1 1.05b01	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384

CVSS

SEVERITY

CVSSV2

CVSSV3

disclosure@vulncheck.com:	CVE-2025-34125
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2015-04792
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2025-17384
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2015-04792
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2025-17384
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384 // NVD: CVE-2025-34125

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2025-34125

EXTERNAL IDS

db:	EXPLOIT-DB	id:	37628	Trust: 2.2
db:	NVD	id:	CVE-2025-34125	Trust: 1.6
db:	EXPLOITDB	id:	37628	Trust: 0.6
db:	CNVD	id:	CNVD-2015-04792	Trust: 0.6
db:	CNVD	id:	CNVD-2025-17384	Trust: 0.6

sources: CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384 // NVD: CVE-2025-34125

REFERENCES

url:	https://www.exploit-db.com/exploits/37628	Trust: 1.6
url:	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb	Trust: 1.0
url:	https://web.archive.org/web/20160125171424/https://github.com/darkarnium/secpub/tree/master/d-link/dsp-w110	Trust: 1.0
url:	https://www.vulncheck.com/advisories/dlink-dspw110a1-cookie-command-injection	Trust: 1.0
url:	https://www.exploit-db.com/exploits/37628/	Trust: 0.6

sources: CNVD: CNVD-2015-04792 // CNVD: CNVD-2025-17384 // NVD: CVE-2025-34125

SOURCES

db:	CNVD	id:	CNVD-2015-04792
db:	CNVD	id:	CNVD-2025-17384
db:	NVD	id:	CVE-2025-34125

LAST UPDATE DATE

2025-08-02T23:02:19.123000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-04792	date:	2015-07-23T00:00:00
db:	CNVD	id:	CNVD-2025-17384	date:	2025-08-01T00:00:00
db:	NVD	id:	CVE-2025-34125	date:	2025-07-17T21:15:50.197

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-04792	date:	2015-07-23T00:00:00
db:	CNVD	id:	CNVD-2025-17384	date:	2025-08-01T00:00:00
db:	NVD	id:	CVE-2025-34125	date:	2025-07-16T22:15:24.003