CVE-2025-13304
📋 TL;DR
A buffer overflow vulnerability in D-Link routers allows remote attackers to execute arbitrary code by manipulating the 'host' parameter in the ping diagnostic form. This affects D-Link DWR-M920, DWR-M921, DWR-M960, DWR-M961, and DIR-825M routers running vulnerable firmware versions. Attackers can exploit this without authentication to potentially take full control of affected devices.
💻 Affected Systems
- D-Link DWR-M920
- D-Link DWR-M921
- D-Link DWR-M960
- D-Link DWR-M961
- D-Link DIR-825M
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and botnet recruitment.
Likely Case
Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.
If Mitigated
Denial of service or limited information disclosure if exploit fails or is partially mitigated by security controls.
🎯 Exploit Status
Public exploit code exists in GitHub repositories. The vulnerability requires sending a specially crafted HTTP request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check D-Link security advisories for firmware updates. 2. Download appropriate firmware for your model. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.
🔧 Temporary Workarounds
Disable WAN access to admin interface
allPrevent external access to the vulnerable web interface component
Access router admin panel -> Security -> Remote Management -> Disable
Block access to vulnerable endpoint
linuxUse firewall rules to block access to /boafrm/formPingDiagnosticRun
iptables -A INPUT -p tcp --dport 80 -m string --string "/boafrm/formPingDiagnosticRun" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/boafrm/formPingDiagnosticRun" --algo bm -j DROP
🧯 If You Can't Patch
- Replace affected routers with supported models
- Isolate vulnerable routers in separate network segments with strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface or via command: curl -s http://router-ip/ | grep -i 'firmware version'Check Version:
curl -s http://router-ip/ | grep -i 'version' || ssh admin@router 'show version'Verify Fix Applied:
Verify firmware version is updated beyond 1.01.07/1.1.47 and test if /boafrm/formPingDiagnosticRun endpoint responds to malicious payloads📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /boafrm/formPingDiagnosticRun
- Large payloads in ping diagnostic requests
- Multiple failed login attempts followed by ping diagnostic access
Network Indicators:
- HTTP traffic to router IP on port 80/443 with long host parameter values
- Unusual outbound connections from router after ping diagnostic requests
SIEM Query:
source="router_logs" AND (url="/boafrm/formPingDiagnosticRun" AND (host="*" OR content_length>100))🔗 References
- https://github.com/LX-LX88/cve/issues/11
- https://vuldb.com/?ctiid.332644
- https://vuldb.com/?id.332644
- https://vuldb.com/?submit.691808
- https://vuldb.com/?submit.691810
- https://vuldb.com/?submit.691812
- https://vuldb.com/?submit.691817
- https://vuldb.com/?submit.691821
- https://www.dlink.com/
- https://github.com/LX-LX88/cve/issues/11
