CVE-2025-13305 - Vulnerability Details

A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. This issue affects some unknown processing of the file /boafrm/formTracerouteDiagnosticRun. Executing manipulation of the argument host can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
D-link	Dir-822 Dir-825 Dwr-920 Dwr-921 Dwr-960
Dlink	Dir-825m Dir-825m Firmware Dwr-m920 Dwr-m920 Firmware Dwr-m921 Dwr-m921 Firmware Dwr-m960 Dwr-m960 Firmware Dwr-m961 Dwr-m961 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dir-825m_firmware:1.01.07:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-825m:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dwr-m920_firmware:1.01.07:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m920:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dlink:dwr-m921_firmware:1.01.07:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:dlink:dwr-m961_firmware:1.01.07:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m961:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:dlink:dwr-m960_firmware:1.01.07:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m960:b1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/LX-LX88/cve/issues/12
https://vuldb.com/?ctiid.332645
https://vuldb.com/?id.332645
https://vuldb.com/?submit.691809
https://vuldb.com/?submit.691816
https://vuldb.com/?submit.693784
https://vuldb.com/?submit.693806
https://vuldb.com/?submit.695424
https://www.dlink.com/

History

Mon, 08 Dec 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware Dlink dwr-m960 Dlink dwr-m960 Firmware Dlink dwr-m961 Dlink dwr-m961 Firmware
CPEs		cpe:2.3:h:dlink:dir-825m:-:::::::* cpe:2.3:h:dlink:dwr-m920:-:::::::* cpe:2.3:h:dlink:dwr-m921:-:::::::* cpe:2.3:h:dlink:dwr-m960:b1:::::::* cpe:2.3:h:dlink:dwr-m961:-:::::::* cpe:2.3:o:dlink:dir-825m_firmware:1.01.07:::::::* cpe:2.3:o:dlink:dwr-m920_firmware:1.01.07:::::::* cpe:2.3:o:dlink:dwr-m921_firmware:1.01.07:::::::* cpe:2.3:o:dlink:dwr-m960_firmware:1.01.07:::::::* cpe:2.3:o:dlink:dwr-m961_firmware:1.01.07:::::::*
Vendors & Products		Dlink Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware Dlink dwr-m960 Dlink dwr-m960 Firmware Dlink dwr-m961 Dlink dwr-m961 Firmware

Tue, 18 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921 D-link dwr-960
Vendors & Products		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921 D-link dwr-960

Mon, 17 Nov 2025 23:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. This issue affects some unknown processing of the file /boafrm/formTracerouteDiagnosticRun. Executing manipulation of the argument host can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
Title		D-Link DWR-M920/DWR-M921/DWR-M960/DIR-822K/DIR-825M formTracerouteDiagnosticRun buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/LX-LX88/cve/issues/12 https://vuldb.com/?ctiid.332645 https://vuldb.com/?id.332645 https://vuldb.com/?submit.691809 https://vuldb.com/?submit.691816 https://vuldb.com/?submit.693784 https://vuldb.com/?submit.693806 https://vuldb.com/?submit.695424 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-11-17T23:02:06.147Z

Updated: 2025-11-18T14:41:07.089Z

Reserved: 2025-11-17T14:12:10.254Z

Link: CVE-2025-13305

Vulnrichment

Updated: 2025-11-18T14:41:01.172Z

NVD

Status : Analyzed

Published: 2025-11-17T23:15:49.183

Modified: 2025-12-08T14:35:13.063

Link: CVE-2025-13305

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object