CVE-2025-13548: Buffer Overflow in D-Link DIR-822K
A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-13548 is a remote buffer overflow vulnerability identified in D-Link DIR-822K and DWR-M920 routers running firmware versions 1.00_20250513164613 and 1.1.50. The vulnerability resides in the handling of the submit-url argument within the /boafrm/formFirewallAdv endpoint. An attacker can craft a malicious request that overflows the buffer, potentially allowing arbitrary code execution on the device without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, making it highly dangerous. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges needed. Although no known exploits are currently active in the wild, the public disclosure of exploit code increases the likelihood of exploitation attempts. This vulnerability could allow attackers to take full control of affected routers, intercept or manipulate network traffic, disrupt services, or pivot into internal networks. The lack of available patches at the time of disclosure necessitates immediate defensive measures to reduce exposure.
Potential Impact
For European organizations, this vulnerability poses a significant threat to network security and operational continuity. Compromise of D-Link DIR-822K or DWR-M920 routers could lead to unauthorized access to internal networks, interception of sensitive communications, and disruption of internet connectivity. Critical sectors such as finance, healthcare, and government agencies relying on these routers for secure network access may experience data breaches or service outages. The remote, unauthenticated nature of the exploit increases the attack surface, especially for organizations with internet-facing devices. Additionally, the potential for attackers to use compromised routers as footholds for lateral movement or launching further attacks amplifies the risk. The absence of patches at disclosure heightens the urgency for interim mitigations to prevent exploitation and limit damage.
Mitigation Recommendations
1. Immediately inventory and identify all D-Link DIR-822K and DWR-M920 devices running affected firmware versions within the network. 2. Monitor vendor channels closely for official firmware updates or patches addressing CVE-2025-13548 and apply them promptly upon release. 3. Until patches are available, restrict external access to router management interfaces, especially the /boafrm/formFirewallAdv endpoint, using firewall rules or network segmentation. 4. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures to detect attempts to exploit the submit-url parameter. 5. Employ strict network segmentation to isolate vulnerable devices from critical internal systems. 6. Regularly audit router configurations and logs for suspicious activity indicative of exploitation attempts. 7. Educate IT staff about the vulnerability and ensure incident response plans include steps for potential exploitation scenarios. 8. Consider temporary replacement of vulnerable devices with alternative hardware if patching is delayed.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-13548: Buffer Overflow in D-Link DIR-822K
Description
A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-13548 is a remote buffer overflow vulnerability identified in D-Link DIR-822K and DWR-M920 routers running firmware versions 1.00_20250513164613 and 1.1.50. The vulnerability resides in the handling of the submit-url argument within the /boafrm/formFirewallAdv endpoint. An attacker can craft a malicious request that overflows the buffer, potentially allowing arbitrary code execution on the device without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, making it highly dangerous. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges needed. Although no known exploits are currently active in the wild, the public disclosure of exploit code increases the likelihood of exploitation attempts. This vulnerability could allow attackers to take full control of affected routers, intercept or manipulate network traffic, disrupt services, or pivot into internal networks. The lack of available patches at the time of disclosure necessitates immediate defensive measures to reduce exposure.
Potential Impact
For European organizations, this vulnerability poses a significant threat to network security and operational continuity. Compromise of D-Link DIR-822K or DWR-M920 routers could lead to unauthorized access to internal networks, interception of sensitive communications, and disruption of internet connectivity. Critical sectors such as finance, healthcare, and government agencies relying on these routers for secure network access may experience data breaches or service outages. The remote, unauthenticated nature of the exploit increases the attack surface, especially for organizations with internet-facing devices. Additionally, the potential for attackers to use compromised routers as footholds for lateral movement or launching further attacks amplifies the risk. The absence of patches at disclosure heightens the urgency for interim mitigations to prevent exploitation and limit damage.
Mitigation Recommendations
1. Immediately inventory and identify all D-Link DIR-822K and DWR-M920 devices running affected firmware versions within the network. 2. Monitor vendor channels closely for official firmware updates or patches addressing CVE-2025-13548 and apply them promptly upon release. 3. Until patches are available, restrict external access to router management interfaces, especially the /boafrm/formFirewallAdv endpoint, using firewall rules or network segmentation. 4. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures to detect attempts to exploit the submit-url parameter. 5. Employ strict network segmentation to isolate vulnerable devices from critical internal systems. 6. Regularly audit router configurations and logs for suspicious activity indicative of exploitation attempts. 7. Educate IT staff about the vulnerability and ensure incident response plans include steps for potential exploitation scenarios. 8. Consider temporary replacement of vulnerable devices with alternative hardware if patching is delayed.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-11-22T15:08:56.294Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6922f42ae2031d6840968b42
Added to database: 11/23/2025, 11:46:50 AM
Last enriched: 11/23/2025, 12:01:56 PM
Last updated: 11/23/2025, 2:19:59 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.