Login Sign Up

CVE-2025-1538

8.8 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

A critical heap-based buffer overflow vulnerability in D-Link DAP-1320's set_ws_action function allows remote attackers to execute arbitrary code or cause denial of service. This affects D-Link DAP-1320 devices running firmware version 1.00. The vulnerability is particularly dangerous as these products are no longer supported by the vendor.

💻 Affected Systems

Products:
  • D-Link DAP-1320
Versions: 1.00
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects products no longer supported by D-Link. All devices running the vulnerable firmware are affected.

📦 What is this software?

Dap 1320 Firmware by Dlink

View all CVEs affecting Dap 1320 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence, and potential lateral movement within the network.

🟠

Likely Case

Remote denial of service causing device crashes and network disruption, with potential for limited code execution.

🟢

If Mitigated

Denial of service only if exploit attempts are blocked, but device remains vulnerable to future attacks.

🌐 Internet-Facing: HIGH - Attack can be launched remotely, making internet-facing devices immediate targets.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows remote exploitation within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploit has been publicly disclosed and may be used. The vulnerability is in the /dws/api/ endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://legacy.us.dlink.com/pages/product.aspx?id=4b2bbe2e3f1d440ea65bc56c7e3dcc5c

Restart Required: No

Instructions:

No official patch available as product is end-of-life. Consider replacement or workarounds.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DAP-1320 devices in separate VLANs with strict firewall rules blocking external access to the device management interface.

Access Control Lists

all

Implement ACLs to restrict access to the device's management interface only to trusted administrative IP addresses.

🧯 If You Can't Patch

  • Immediately replace DAP-1320 devices with supported models
  • Disable the vulnerable /dws/api/ endpoint if possible through configuration

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH. If version is 1.00, device is vulnerable.

Check Version:

Check web interface at http://[device-ip]/ or use SSH if enabled

Verify Fix Applied:

No fix available to verify. Replacement with non-vulnerable device is the only verification.

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to /dws/api/ endpoint
  • Device crash/restart logs
  • Unusual memory usage patterns

Network Indicators:

  • HTTP POST requests to /dws/api/ with large payloads
  • Traffic patterns matching known exploit signatures

SIEM Query:

source_ip:* AND dest_ip:[device_ip] AND url_path:"/dws/api/" AND http_method:POST

📊 Metadata

CVE ID: CVE-2025-1538
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.8% exploit probability (73.7th percentile)
Published: February 21, 2025
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1538, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)