Introduction
A publicly disclosed buffer overflow in the D-Link DIR-825M router allows unauthenticated remote attackers to crash or fully compromise the device with a single HTTP request. With a CVSS score of 8.8 and exploit code already available on GitHub, any DIR-825M with firmware version 1.1.12 that exposes its web management interface is at immediate risk of takeover, potentially serving as a foothold for network interception, lateral movement, or botnet recruitment.
Technical Information
The vulnerability resides in the sub_414BA8 function, which is responsible for handling HTTP requests to the /boafrm/formWanConfigSetup endpoint on the D-Link DIR-825M router running firmware version 1.1.12. During request processing, this function retrieves the submit-url parameter from the incoming HTTP POST body and copies it into a fixed size buffer on the stack using the strcpy function. Because strcpy performs no bounds checking whatsoever, supplying a value longer than the allocated buffer overwrites adjacent stack memory, including the saved return address.
The root cause is straightforward: the use of strcpy without any prior validation of the input length. This is classified under both CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
Attack Flow
Exploitation requires no authentication and can be performed entirely over the network:
- The attacker identifies a D-Link DIR-825M router with its web management interface reachable (either on the LAN or, if remote management is enabled, from the WAN).
- The attacker crafts an HTTP POST request to
/boafrm/formWanConfigSetupcontaining an excessively long string in thesubmit-urlparameter. - The
sub_414BA8function processes the request and callsstrcpyto copy the oversizedsubmit-urlvalue into a fixed size stack buffer. - The copy operation overflows the buffer, overwriting adjacent stack data including the return address.
- Depending on the crafted payload, this results in either a crash of the web server process (denial of service) or redirection of execution to attacker controlled shellcode (arbitrary code execution granting full control of the router).
Pattern of Similar Vulnerabilities
This flaw is not an isolated incident. It mirrors a recurring pattern of poor input validation across D-Link's boafrm endpoints on the DIR-825M:
| CVE ID | Affected Endpoint | Parameter | Vulnerability Type |
|---|---|---|---|
| CVE-2026-7289 | /boafrm/formWanConfigSetup | submit-url | Buffer Overflow |
| CVE-2025-13305 | /boafrm/formTracerouteDiagnosticRun | host | Buffer Overflow |
| CVE-2025-13304 | /boafrm/formPingDiagnosticRun | host | Buffer Overflow |
These recurring issues highlight a systemic lack of bounds checking across the device's web management interface, suggesting that additional undiscovered vulnerabilities in other boafrm handlers are plausible.
Affected Systems and Versions
The confirmed affected configuration is:
- Product: D-Link DIR-825M
- Firmware Version: 1.1.12
- Vulnerable Endpoint:
/boafrm/formWanConfigSetup - Vulnerable Function:
sub_414BA8 - Vulnerable Parameter:
submit-url
Other firmware versions of the DIR-825M have not been confirmed as affected or unaffected based on the available information. Given the systemic nature of the input validation issues in the boafrm handlers, other versions may also be vulnerable.
Vendor Security History
D-Link has a well documented track record of security issues in its SOHO router product lines. The DIR-825M alone has been the subject of multiple buffer overflow disclosures in recent months, including CVE-2025-13305 (buffer overflow in /boafrm/formTracerouteDiagnosticRun) and CVE-2025-13304 (buffer overflow in /boafrm/formPingDiagnosticRun). All three vulnerabilities share the same root cause: unbounded string copy operations in HTTP parameter handling.
Beyond the DIR-825M, D-Link has faced active zero day exploitation campaigns targeting discontinued legacy DSL gateways under CVE-2026-0625, for which the company explicitly stated no patches would be released. This precedent is worth noting: if D-Link classifies the DIR-825M v1.1.12 as End of Life, the same outcome is possible, leaving users with no remediation path other than hardware replacement.
References
- CVE-2026-7289 on NVD
- D-Link DIR-825M Buffer Overflow PoC (GitHub)
- VulDB Submission #803025
- VulDB Entry #359947
- VulDB CTI for #359947
- D-Link Official Website
- D-Link Technical Support
- CVE-2025-13305: D-Link DIR-825M Buffer Overflow (SentinelOne)
- CVE-2025-13304 on NVD
- Hackers Exploit Zero Day in Discontinued D-Link Devices (SecurityWeek)
- CISA Home Network Security Guidance
