CVE-2025-13304 is a remote buffer overflow vulnerability found in several D-Link router models, specifically DWR-M920, DWR-M921, DWR-M960, DWR-M961, and DIR-825M firmware versions 1.01.07 and 1.1.47. The vulnerability resides in the /boafrm/formPingDiagnosticRun endpoint, where the 'host' parameter is improperly handled, allowing an attacker to overflow a buffer by sending a specially crafted request. This flaw can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. The buffer overflow could lead to arbitrary code execution, enabling attackers to take control of the device, disrupt network services, or exfiltrate sensitive information. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no user interaction, and partial privileges needed, with high impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the public release of exploit code increases the risk of imminent attacks. The affected devices are commonly used in enterprise and small-to-medium business environments, making this a significant threat to network infrastructure stability and security.

For European organizations, this vulnerability poses a serious risk to network infrastructure stability and security. Exploitation could lead to remote code execution, allowing attackers to gain control over affected routers, potentially intercepting or redirecting network traffic, disrupting internet connectivity, or launching further attacks within the internal network. This can compromise confidentiality by exposing sensitive communications, integrity by altering network configurations or data, and availability by causing denial of service. Organizations relying on these D-Link models for critical connectivity, especially in sectors like finance, healthcare, and government, could face operational disruptions and data breaches. The ease of exploitation without authentication increases the threat level, particularly for devices exposed to the internet or poorly segmented internal networks. The public availability of exploit code further elevates the risk of widespread attacks targeting vulnerable European networks.

1. Immediately inventory all D-Link devices in use, focusing on models DWR-M920, DWR-M921, DWR-M960, DWR-M961, and DIR-825M, and verify firmware versions. 2. Apply vendor-provided firmware updates as soon as they become available to patch the vulnerability. 3. Until patches are deployed, restrict access to the affected devices’ management interfaces by implementing network segmentation and firewall rules to limit exposure to trusted IP addresses only. 4. Disable remote management features if not required, especially those exposing the /boafrm/formPingDiagnosticRun endpoint. 5. Monitor network traffic for unusual requests targeting the vulnerable endpoint or signs of buffer overflow exploitation attempts. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts of this vulnerability. 7. Educate network administrators about the vulnerability and ensure incident response plans include steps for potential exploitation scenarios. 8. Consider replacing legacy or unsupported devices with newer, more secure hardware if patching is not feasible.