Introduction
Remote attackers can compromise D-Link routers used in homes and small businesses by exploiting a buffer overflow in the ping diagnostic feature. With public exploit code available, this vulnerability exposes a large install base to memory corruption and potential code execution risks.
D-Link is a major global networking equipment manufacturer, with millions of consumer and small business routers deployed worldwide. The DWR-M920, DWR-M921, DWR-M960, DWR-M961, and DIR-825M are popular 4G LTE and wireless router models, widely used for both primary and backup connectivity.
Technical Information
CVE-2025-13304 is a stack-based buffer overflow in the /boafrm/formPingDiagnosticRun endpoint of affected D-Link routers. The vulnerability is triggered when an attacker sends an HTTP request with an overly long host parameter to this endpoint. The backend code copies this parameter into a fixed-length buffer without proper bounds checking, resulting in memory corruption. This flaw is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
The attack is remote and does not require authentication. Exploit code has been released publicly, which increases the risk of automated exploitation. No code snippets or further implementation details are available in public sources.
Affected Systems and Versions
- D-Link DWR-M920 (firmware 1.01.07)
- D-Link DWR-M921 (firmware 1.01.07)
- D-Link DWR-M960 (firmware 1.01.07)
- D-Link DWR-M961 (firmware 1.01.07)
- D-Link DIR-825M (firmware 1.1.47)
All configurations exposing the /boafrm/formPingDiagnosticRun endpoint are vulnerable.
Vendor Security History
D-Link has a recurring history of memory safety issues in its router lines. Previous vulnerabilities in the DIR-825, DWR, and DAP series have included buffer overflows and command injection flaws, often related to insufficient input validation. Vendor response times have varied, with some advisories and patches delayed or incomplete. Security maturity is improving but remains inconsistent across product lines.
