CVE-2025-13306 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-13306?

CVE-2025-13306 has a CVSS score of 6.3 (MEDIUM). This CVE describes a command injection vulnerability in D-Link routers that allows attackers to execute arbitrary commands on affected devices by manipulating the 'host' parameter in the /boafrm/formDebugDiagnosticRun endpoint. The vulnerability affects D-Link DWR-M920, DWR-M921, DIR-822K, and DIR-825M routers running firmware version 1.1.5. Remote exploitation is possible, potentially allowing attackers to gain control of vulnerable devices.

📋 TL;DR

This CVE describes a command injection vulnerability in D-Link routers that allows attackers to execute arbitrary commands on affected devices by manipulating the 'host' parameter in the /boafrm/formDebugDiagnosticRun endpoint. The vulnerability affects D-Link DWR-M920, DWR-M921, DIR-822K, and DIR-825M routers running firmware version 1.1.5. Remote exploitation is possible, potentially allowing attackers to gain control of vulnerable devices.

💻 Affected Systems

Products:

D-Link DWR-M920
D-Link DWR-M921
D-Link DIR-822K
D-Link DIR-825M

Versions: 1.1.5

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected. The vulnerable endpoint is part of the web management interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, credential theft, network pivoting, and participation in botnets.

🟠

Likely Case

Remote code execution leading to device takeover, network reconnaissance, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation is possible, and vulnerable devices are often directly exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details have been publicly disclosed on GitHub. The vulnerability requires authentication to the web interface, but default credentials or credential reuse could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates. 2. Download appropriate firmware for your model. 3. Access router web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the web management interface

Access router web interface > Advanced > Remote Management > Disable

Change default credentials

all

Use strong, unique passwords for router administration

Access router web interface > Management > Account > Change password

🧯 If You Can't Patch

Isolate affected routers in a separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to/from router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > Status > Firmware Information. If version is 1.1.5, device is vulnerable.

Check Version:

curl -k https://[router-ip]/status.cgi (requires authentication)

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.1.5

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /boafrm/formDebugDiagnosticRun
Multiple failed login attempts followed by successful authentication

Network Indicators:

Unexpected outbound connections from router
Suspicious commands in HTTP POST parameters

SIEM Query:

source="router-logs" AND (uri="/boafrm/formDebugDiagnosticRun" OR command="ping" OR command="wget" OR command="curl")

📊 Metadata

CVE ID: CVE-2025-13306

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.1% exploit probability (28.2th percentile)

Published: November 18, 2025

Last Updated: January 8, 2026

🔗 References

https://github.com/LX-LX88/cve/issues/15 Exploit,Third Party Advisory,Issue Tracking
https://vuldb.com/?ctiid.332646 Permissions Required,VDB Entry
https://vuldb.com/?id.332646 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.691813 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.693805 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.693807 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.695426 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product
https://github.com/LX-LX88/cve/issues/15 Exploit,Third Party Advisory,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13306, you might also want to check these: