Cyber Posture

CVE-2025-11665

MediumPublic PoC

Published: 13 October 2025

Published
13 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0014 34.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11665 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dap-2695 Firmware. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Indirect Command Execution (T1202); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Indirect Command Execution (T1202) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

OS command injection in the remote firmware update handler (fwupdater_main in rgbin) enables indirect command execution (T1202) via injected commands and exploitation of a remote service (T1210).

NVD Description

A vulnerability was detected in D-Link DAP-2695 2.00RC131. This affects the function fwupdater_main of the file rgbin of the component Firmware Update Handler. Performing manipulation results in os command injection. The attack may be initiated remotely. This vulnerability only affects…

more

products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-11665 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the D-Link DAP-2695 access point on firmware version 2.00RC131. The flaw exists in the fwupdater_main function within the rgbin file of the Firmware Update Handler component, where manipulation enables command injection.

Remote attackers with high privileges (PR:H) can exploit this vulnerability with low attack complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L, base score 4.7). Successful exploitation allows injection and execution of arbitrary OS commands, resulting in limited impacts to confidentiality, integrity, and availability.

The vulnerability impacts products no longer supported by the maintainer, with no patches available. Relevant details appear in advisories from sources like the GitHub IOTRes/IOT_Firmware_Update repository (D-Link DAP-2695 section) and VulDB entries (ctiid.328084, id.328084).

Details

CWE(s)
CWE-77CWE-78

Affected Products

dlink
dap-2695 firmware
2.00

CVEs Like This One

CVE-2025-12295Same product: Dlink Dap-2695
CVE-2025-9026Same vendor: Dlink
CVE-2026-3485Same vendor: Dlink
CVE-2025-9752Same vendor: Dlink
CVE-2025-2717Same vendor: Dlink
CVE-2026-2175Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-2081Same vendor: Dlink
CVE-2026-2120Same vendor: Dlink

References