CVE-2025-13304 is a buffer overflow vulnerability identified in multiple D-Link router models, specifically DWR-M920, DWR-M921, DWR-M960, DWR-M961, and DIR-825M running firmware versions 1.01.07 and 1.1.47. The vulnerability resides in the handling of the 'host' parameter within the /boafrm/formPingDiagnosticRun endpoint. By crafting a specially manipulated argument for 'host', an attacker can cause a buffer overflow condition remotely, without requiring any authentication or user interaction. This flaw stems from improper input validation and insufficient bounds checking in the affected code, allowing memory corruption. The consequence of this overflow can be arbitrary code execution with elevated privileges on the device, potentially enabling attackers to take full control of the router, disrupt network traffic, or pivot into internal networks. The vulnerability is remotely exploitable over the network, increasing its threat level. Although no active exploitation has been reported in the wild, the public release of exploit code raises the likelihood of imminent attacks. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low complexity, no authentication, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability affects a broad range of D-Link devices commonly deployed in enterprise and consumer environments, making it a significant risk for organizations relying on these routers for network connectivity and security.

For European organizations, exploitation of CVE-2025-13304 could lead to severe consequences including unauthorized remote control of network routers, interception or manipulation of network traffic, and potential lateral movement within corporate networks. This could result in data breaches, disruption of business operations, and compromise of sensitive information. Critical infrastructure sectors such as finance, healthcare, and government agencies that rely on these D-Link devices for connectivity could face operational outages or espionage risks. The ability to execute arbitrary code remotely without authentication amplifies the threat, as attackers can deploy malware, establish persistent backdoors, or launch further attacks from compromised routers. The public availability of exploit code increases the urgency for European organizations to address this vulnerability promptly to prevent exploitation attempts that could impact confidentiality, integrity, and availability of their networks.

1. Immediately restrict remote access to the management interfaces of affected D-Link devices by disabling WAN-side access or implementing strict firewall rules limiting access to trusted IP addresses. 2. Monitor network traffic for unusual activity, especially targeting the /boafrm/formPingDiagnosticRun endpoint or suspicious payloads containing malformed 'host' parameters. 3. Apply firmware updates or patches from D-Link as soon as they become available; if no official patch exists, consider temporary mitigations such as disabling vulnerable services or isolating affected devices on segmented network zones. 4. Conduct a thorough inventory of all D-Link devices in use to identify those running vulnerable firmware versions and prioritize their remediation. 5. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures targeting this specific exploit to detect and block exploitation attempts. 6. Educate IT and security teams about this vulnerability to ensure rapid response and incident handling if exploitation is detected. 7. Consider replacing outdated or unsupported devices with newer models that receive regular security updates to reduce future risk.