Introduction
Remote attackers can take full control of D-Link DIR-822K and DWR-M920 routers through a critical memory corruption flaw in the web interface. With public exploit code already available, unpatched devices are at immediate risk of compromise and persistent network intrusion.
D-Link is a major global networking hardware vendor with millions of devices deployed worldwide. Their DIR and DWR series routers are widely used in homes and small businesses, making vulnerabilities in these products highly impactful for both individual users and organizations.
Technical Information
CVE-2025-13547 is a stack-based buffer overflow vulnerability in the /boafrm/formDdns endpoint of D-Link DIR-822K and DWR-M920 routers running firmware version 1.00_20250513164613 or 1.1.50. The flaw is triggered when an attacker sends an HTTP request containing a submit-url parameter with a value that exceeds the allocated buffer size. The firmware copies this value into a fixed-size stack buffer without proper bounds checking, resulting in memory corruption.
The root cause is improper input validation for the submit-url parameter. The vulnerable code does not verify the length of the user-supplied value before copying it to the stack. This allows an attacker to overwrite adjacent memory, including function return addresses or control data, which can lead to arbitrary code execution or denial of service. The vulnerability is classified as CWE-119 (improper restriction of operations within the bounds of a memory buffer).
No authentication is required to exploit this flaw. Any remote attacker with network access to the router's web interface can send a malicious request to /boafrm/formDdns and trigger the buffer overflow. Public exploit code is available and can be used to automate attacks.
Affected Systems and Versions
- D-Link DIR-822K, firmware version 1.00_20250513164613 and earlier
- D-Link DWR-M920, firmware version 1.1.50 and earlier
Routers running these firmware versions or older are vulnerable. The attack targets the /boafrm/formDdns endpoint and specifically abuses the submit-url parameter.
Vendor Security History
D-Link has a history of buffer overflow and remote code execution vulnerabilities in its router firmware. Notable examples include CVE-2020-29557 and multiple buffer overflow issues disclosed in 2024 and 2025. Patch response times have varied, and end-of-life policies often leave older devices without security updates. The DIR-822K reached end of support in February 2023, meaning it will not receive further patches.
