{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10440", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-09-14T15:38:46.023Z", "datePublished": "2025-09-15T10:02:07.376Z", "dateUpdated": "2025-09-15T16:27:56.083Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-09-15T10:02:07.376Z"}, "title": "D-Link DI-8100/DI-8100G/DI-8200/DI-8200G/DI-8003/DI-8003G jhttpd usb_paswd.asp sub_4621DC os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "D-Link", "product": "DI-8100", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8100G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8200", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8200G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8003", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8003G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "In D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1 wurde eine Schwachstelle gefunden. Es betrifft die Funktion sub_4621DC der Datei usb_paswd.asp der Komponente jhttpd. Die Ver\u00e4nderung des Parameters hname resultiert in os command injection. Der Angriff kann remote ausgef\u00fchrt werden. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-09-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-09-14T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-09-14T17:43:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "shiny (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.323874", "name": "VDB-323874 | D-Link DI-8100/DI-8100G/DI-8200/DI-8200G/DI-8003/DI-8003G jhttpd usb_paswd.asp sub_4621DC os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.323874", "name": "VDB-323874 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.647835", "name": "Submit #647835 | D-Link D-Link DI-8100\u3001DI-8100G\u3001DI-8200\u3001DI-8200G\u3001DI-8003\u3001DI-8003G DI_8100-16.07.26A1 DI_8100G-17.12.20A1 DI_8200-16.07.26A1 DI_8200G-17.12.20A1 DI_8003-16.07.26A1 DI_8003G-19.12.10A1 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md", "tags": ["related"]}, {"url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md#exp", "tags": ["exploit"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-15T16:27:43.933970Z", "id": "CVE-2025-10440", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-15T16:27:56.083Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10440", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-09-14T15:38:46.023Z", "datePublished": "2025-09-15T10:02:07.376Z", "dateUpdated": "2025-09-15T16:27:56.083Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-09-15T10:02:07.376Z"}, "title": "D-Link DI-8100/DI-8100G/DI-8200/DI-8200G/DI-8003/DI-8003G jhttpd usb_paswd.asp sub_4621DC os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "D-Link", "product": "DI-8100", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8100G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8200", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8200G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8003", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}, {"vendor": "D-Link", "product": "DI-8003G", "versions": [{"version": "16.07.26A1", "status": "affected"}, {"version": "17.12.20A1", "status": "affected"}, {"version": "19.12.10A1", "status": "affected"}], "modules": ["jhttpd"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "In D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1 wurde eine Schwachstelle gefunden. Es betrifft die Funktion sub_4621DC der Datei usb_paswd.asp der Komponente jhttpd. Die Ver\u00e4nderung des Parameters hname resultiert in os command injection. Der Angriff kann remote ausgef\u00fchrt werden. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-09-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-09-14T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-09-14T17:43:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "shiny (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.323874", "name": "VDB-323874 | D-Link DI-8100/DI-8100G/DI-8200/DI-8200G/DI-8003/DI-8003G jhttpd usb_paswd.asp sub_4621DC os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.323874", "name": "VDB-323874 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.647835", "name": "Submit #647835 | D-Link D-Link DI-8100\u3001DI-8100G\u3001DI-8200\u3001DI-8200G\u3001DI-8003\u3001DI-8003G DI_8100-16.07.26A1 DI_8100G-17.12.20A1 DI_8200-16.07.26A1 DI_8200G-17.12.20A1 DI_8003-16.07.26A1 DI_8003G-19.12.10A1 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md", "tags": ["related"]}, {"url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md#exp", "tags": ["exploit"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10440", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-15T16:27:43.933970Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-15T16:27:50.518Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}], "id": "CVE-2025-10440", "lastModified": "2025-09-15T15:21:42.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-09-15T10:15:32.233", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md"}, {"source": "cna@vuldb.com", "url": "https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md#exp"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.323874"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.323874"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.647835"}, {"source": "cna@vuldb.com", "url": "https://www.dlink.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}