Command Injection Vulnerability in D-Link DAP-2695 Firmware Update Component
CVE-2025-11665

5.1MEDIUM

Key Information:

Vendor

D-link
Status
Dap-2695
Vendor
CVE Published:
13 October 2025

What is CVE-2025-11665?

A security flaw in the firmware update handler of the D-Link DAP-2695 allows remote attackers to execute arbitrary OS commands. This is due to improper neutralization of argument delimiters in the command processing code. Specifically, the vulnerability resides in the fwupdater_main function within the rgbin file, enabling potential exploitation on unsupported products. Users are encouraged to cease using or update their firmware to mitigate risks.

Affected Version(s)

DAP-2695 2.00RC131

References

https://vuldb.com/?id.328084
vdb-entrytechnical-description
https://vuldb.com/?ctiid.328084
signaturepermissions-required
https://vuldb.com/?submit.673104
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

IOT_Res (VulDB User)
JSON
.
CVE-2025-11665 : Command Injection Vulnerability in D-Link DAP-2695 Firmware Update Component