Critical severityNVD Advisory· Published Jul 16, 2025· Updated Apr 15, 2026

CVE-2025-34125

Description

An unauthenticated command injection vulnerability exists in the cookie handling process of the lighttpd web server on D-Link DSP-W110A1 firmware version 1.05B01. This occurs when specially crafted cookie values are processed, allowing remote attackers to execute arbitrary commands on the underlying Linux operating system. Successful exploitation enables full system compromise.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rbnvd
web.archive.org/web/20160125171424/https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110nvd
www.exploit-db.com/exploits/37628nvd
www.vulncheck.com/advisories/dlink-dspw110a1-cookie-command-injectionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.058
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000