Command Injection Vulnerability in D-Link DI-500WF-WT Product
CVE-2025-5492

5.3MEDIUM

Key Information:

Vendor: D-link
Status: Di-500wf-wt
Vendor: CVE Published:; 3 June 2025

What is CVE-2025-5492?

A command injection vulnerability exists in the D-Link DI-500WF-WT due to improper handling of input parameters within the sub_456DE8 function found in the /msp_info.htm?flag=cmd component of /usr/sbin/jhttpd. This flaw allows attackers to execute arbitrary commands on the device remotely, posing a significant risk to network security. Users are urged to review their D-Link equipment and apply any necessary security updates promptly.

Affected Version(s)

DI-500WF-WT 20250511

References

https://vuldb.com/?id.310909

vdb-entrytechnical-description

https://vuldb.com/?ctiid.310909

signaturepermissions-required

https://vuldb.com/?submit.575244

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
Jun 3, 2025

Credit

eternity. (VulDB User)