CVE-2025-13305 is a buffer overflow vulnerability identified in several D-Link router models, including DWR-M920, DWR-M921, DWR-M960, DIR-822K, and DIR-825M, all running firmware version 1.01.07. The vulnerability arises from improper handling of the 'host' parameter in the /boafrm/formTracerouteDiagnosticRun endpoint. When this parameter is manipulated with specially crafted input, it causes a buffer overflow condition, which can be exploited remotely without requiring user authentication or interaction. This flaw allows attackers to potentially execute arbitrary code on the affected device or cause a denial of service by crashing the router. The vulnerability is remotely exploitable over the network, increasing the attack surface. The CVSS 4.0 score of 8.7 reflects the ease of exploitation (low attack complexity, no privileges or user interaction needed) and the high impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit is available, which could facilitate attacks by less skilled adversaries. The affected devices are commonly used in both consumer and small business environments, and their compromise could lead to network infiltration, data interception, or disruption of internet connectivity.

For European organizations, this vulnerability poses a significant threat, especially for those relying on the affected D-Link routers for internet connectivity or network segmentation. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over the router, intercept or manipulate network traffic, and pivot into internal networks. This could result in data breaches, service outages, or facilitate further attacks such as ransomware or espionage. Critical infrastructure sectors, SMEs, and home office environments using these devices are at risk. The widespread use of D-Link routers in Europe, particularly in countries with high consumer and SMB adoption of these models, increases the potential impact. Additionally, the lack of authentication requirement and remote exploitability make it easier for attackers to target vulnerable devices at scale.

Organizations should immediately verify if they are using any of the affected D-Link models with firmware version 1.01.07. Since no official patches are currently linked, users should check D-Link’s support channels regularly for firmware updates addressing this vulnerability. In the interim, network administrators should restrict access to the router’s management interfaces from untrusted networks, ideally limiting access to trusted IP addresses or internal networks only. Disabling remote management features and traceroute diagnostic functionalities can reduce exposure. Employing network-level protections such as firewalls or intrusion prevention systems to detect and block exploit attempts targeting /boafrm/formTracerouteDiagnosticRun is advisable. Monitoring network traffic for unusual activity and maintaining up-to-date backups of router configurations will aid in recovery if compromise occurs. Finally, organizations should consider replacing vulnerable devices with models that have confirmed security updates if patches are delayed.