Introduction
Remote attackers can take full control of affected D-Link routers, intercepting network traffic and potentially compromising all connected devices. The buffer overflow in the traceroute diagnostic function is trivial to exploit and public proof-of-concept code is already available, making unpatched routers a prime target for opportunistic attacks.
D-Link is a major networking hardware manufacturer with a global footprint. Its routers are widely used in homes and small businesses, with millions of units deployed worldwide. The company has a history of security issues in its firmware, especially buffer overflows and web interface vulnerabilities.
Technical Information
CVE-2025-13305 is a stack-based buffer overflow vulnerability in the /boafrm/formTracerouteDiagnosticRun endpoint of several D-Link routers running firmware version 1.01.07. The flaw is triggered by improper bounds checking on the host parameter. When a remote attacker sends an HTTP POST request with an excessively long or specially crafted host value, the firmware copies this input into a fixed-size stack buffer without verifying its length. This allows for overwriting adjacent memory regions, including control data such as return addresses.
The result is a classic buffer overflow condition. Depending on the payload, this can crash the router (denial of service) or allow the attacker to execute arbitrary code with the privileges of the web server process. Since the endpoint is accessible remotely and does not require authentication, exploitation is low-complexity and can be performed from any network segment that can reach the router's management interface.
No vulnerable code snippets are available in public sources, but the vulnerability is confirmed in public advisories and exploit repositories.
Proof of Concept
The Proof-of-Concept (PoC) exploit for CVE-2025-13305 targets a buffer overflow vulnerability in D-Link routers, specifically models DWR-M920, DWR-M921, DWR-M960, DIR-822K, and DIR-825M running firmware version 1.01.07. The vulnerability resides in the /boafrm/formTracerouteDiagnosticRun endpoint, where the host parameter is improperly handled, leading to a buffer overflow condition.
Understanding the Exploit Mechanism:
In this scenario, the router's firmware processes user input from the host parameter without adequate bounds checking. By sending an HTTP request with an excessively long or specially crafted host value, an attacker can overwrite adjacent memory regions. This overflow can disrupt normal device operations, potentially leading to arbitrary code execution with the device's privileges.
Potential Consequences:
-
Remote Code Execution: Exploiting this vulnerability could allow attackers to execute malicious code remotely, gaining control over the device.
-
Denial of Service (DoS): The buffer overflow may cause the device to crash or become unresponsive, disrupting network services.
-
Network Compromise: With control over the router, attackers could intercept, modify, or reroute network traffic, compromising the security of connected devices.
Mitigation Recommendations:
-
Firmware Update: Users should promptly check for and apply firmware updates from D-Link that address this vulnerability.
-
Access Controls: Restrict access to the router's management interfaces to trusted networks or specific IP addresses.
-
Monitoring: Implement network monitoring to detect unusual activities that may indicate exploitation attempts.
Given the availability of a public exploit, it is crucial for users of the affected D-Link models to take immediate action to secure their devices.
PoC source: https://www.cvetodo.com/cve/CVE-2025-13305
Affected Systems and Versions
- D-Link DWR-M920 firmware 1.01.07
- D-Link DWR-M921 firmware 1.01.07
- D-Link DWR-M960 firmware 1.01.07
- D-Link DIR-822K firmware 1.01.07
- D-Link DIR-825M firmware 1.01.07
Only these specific models and firmware versions are confirmed vulnerable. The flaw is present in the traceroute diagnostic function exposed at /boafrm/formTracerouteDiagnosticRun.
Vendor Security History
D-Link has a long history of buffer overflow and remote code execution vulnerabilities in its router products. Notable previous issues include:
- CVE-2020-29557: Buffer overflow in DIR-825 R1 (CVSS 9.8), actively exploited in the wild
- Multiple 2024 advisories for buffer overflows and command injection in DIR-X5460, DIR-X4860, and COVR-X1870
- End-of-life policies for many models, leaving them unsupported and unpatched
D-Link's response to security issues has been inconsistent, with some vulnerabilities remaining unpatched for extended periods, especially for older or end-of-life devices.
References
- NVD entry for CVE-2025-13305
- Official CVE entry
- PoC and discussion
- VulDB advisory
- VulDB entry
- VulDB submission 691809
- VulDB submission 691816
- VulDB submission 693784
- VulDB submission 693806
- VulDB submission 695424
- D-Link official site
- D-Link security advisory SAP10341
- D-Link security advisory SAP10412
- CVETodo PoC and summary
