Cyber Resilience

CVE-2025-11665

MediumPublic PoC

Published: 13 October 2025

Published
13 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 54.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11665 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dap-2695 Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Indirect Command Execution (T1202); ranked in the top 45.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-11665 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DAP-2695 access point on firmware version 2.00RC131. The flaw exists in the fwupdater_main function within the rgbin file of the Firmware Update Handler component, where manipulation enables command injection.

Remote attackers with high privileges (PR:H) can exploit this vulnerability with low attack complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L, base score 4.7). Successful exploitation allows injection and execution of arbitrary OS commands, resulting in limited impacts to confidentiality, integrity, and availability.

The vulnerability impacts products no longer supported by the maintainer, with no patches available. Relevant details appear in advisories from sources like the GitHub IOTRes/IOT_Firmware_Update repository (D-Link DAP-2695 section) and VulDB entries (ctiid.328084, id.328084).

EU & UK References

Vulnerability details

A vulnerability was detected in D-Link DAP-2695 2.00RC131. This affects the function fwupdater_main of the file rgbin of the component Firmware Update Handler. Performing manipulation results in os command injection. The attack may be initiated remotely. This vulnerability only affects…

more

products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection in the remote firmware update handler (fwupdater_main in rgbin) enables indirect command execution (T1202) via injected commands and exploitation of a remote service (T1210).

CVEs Like This One

CVE-2025-12295Same product: Dlink Dap-2695
CVE-2026-3485Same vendor: Dlink
CVE-2025-9026Same vendor: Dlink
CVE-2025-9752Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2025-9727Same vendor: Dlink
CVE-2026-2082Same vendor: Dlink

Affected Assets

dlink
dap-2695 firmware
2.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation and sanitization of inputs to the fwupdater_main function, blocking the OS command injection vector.

prevent

Limits privileges so that the high-privilege (PR:H) requirement for remote exploitation cannot be met by untrusted accounts.

preventrecover

Explicitly addresses continued use of unsupported components (DAP-2695 firmware) that receive no patches for this flaw.

References