CVE-2025-13547 – A memory corruption vulnerability in D-Link DIR... (How to Fix)

Q: What is the severity of CVE-2025-13547?

CVE-2025-13547 has a CVSS score of 8.8 (HIGH). A memory corruption vulnerability in D-Link DIR-822K and DWR-M920 routers allows remote attackers to manipulate the 'submit-url' argument in the '/boafrm/formDdns' file, potentially leading to arbitrary code execution or denial of service. This affects users of these specific router models with the vulnerable firmware version. The exploit is publicly available, increasing the risk of attacks.

📋 TL;DR

A memory corruption vulnerability in D-Link DIR-822K and DWR-M920 routers allows remote attackers to manipulate the 'submit-url' argument in the '/boafrm/formDdns' file, potentially leading to arbitrary code execution or denial of service. This affects users of these specific router models with the vulnerable firmware version. The exploit is publicly available, increasing the risk of attacks.

💻 Affected Systems

Products:

D-Link DIR-822K
D-Link DWR-M920

Versions: 1.00_20250513164613/1.1.50

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version listed; other versions may be impacted if similar code exists.

📦 What is this software?

Dir 822k Firmware by Dlink

View all CVEs affecting Dir 822k Firmware →

Dwr M920 Firmware by Dlink

View all CVEs affecting Dwr M920 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full device compromise, data theft, or use as a botnet node.

🟠

Likely Case

Denial of service or device crash, with potential for limited code execution in targeted attacks.

🟢

If Mitigated

Minimal impact if devices are isolated or patched, but residual risk from unpatched systems.

🌐 Internet-Facing: HIGH, as the vulnerability is remotely exploitable and affects internet-facing routers.

🏢 Internal Only: MEDIUM, as internal network access could still allow exploitation, but less exposure than internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are published on GitHub, making it accessible for attackers with moderate skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check D-Link's official website or support for firmware updates; if none, consider workarounds or replacement.

🔧 Temporary Workarounds

Disable DDNS Service

all

Turn off Dynamic DNS functionality to block access to the vulnerable '/boafrm/formDdns' endpoint.

Access router web interface, navigate to DDNS settings, and disable it.

Restrict Network Access

all

Use firewall rules to limit access to the router's management interface from untrusted networks.

Configure firewall to allow only trusted IPs to access router admin ports (e.g., 80, 443).

🧯 If You Can't Patch

Isolate affected routers in a separate network segment to limit lateral movement.
Monitor network traffic for unusual patterns or exploit attempts targeting the DDNS endpoint.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the router's web interface under 'Status' or 'System' settings.

Check Version:

Log into router web interface and navigate to system information page.

Verify Fix Applied:

Verify firmware version is updated to a non-vulnerable release, if available from vendor.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to '/boafrm/formDdns' with manipulated 'submit-url' parameters.

Network Indicators:

Traffic spikes or anomalies on router management ports (e.g., 80, 443) from external sources.

SIEM Query:

source="router_logs" AND url="/boafrm/formDdns" AND method="POST" AND (param="submit-url" OR suspicious_payload)

📊 Metadata

CVE ID: CVE-2025-13547

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: November 23, 2025

Last Updated: December 2, 2025

🔗 References

https://github.com/QIU-DIE/CVE/issues/30 Exploit,Issue Tracking
https://github.com/QIU-DIE/CVE/issues/42 Exploit,Issue Tracking
https://vuldb.com/?ctiid.333314 Permissions Required,VDB Entry
https://vuldb.com/?id.333314 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.693758 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.695428 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product
https://github.com/QIU-DIE/CVE/issues/30 Exploit,Issue Tracking
https://github.com/QIU-DIE/CVE/issues/42 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13547, you might also want to check these: