Login Sign Up

CVE-2025-6373

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in D-Link DIR-619L routers allows remote attackers to execute arbitrary code by manipulating the curTime parameter. This affects D-Link DIR-619L firmware version 2.06B01. The vulnerability is particularly dangerous because these products are no longer supported by the vendor.

💻 Affected Systems

Products:
  • D-Link DIR-619L
Versions: 2.06B01
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects products that are end-of-life and no longer supported by D-Link.

📦 What is this software?

Dir 619l Firmware by Dlink

View all CVEs affecting Dir 619l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement to connected networks.

🟠

Likely Case

Remote code execution allowing attackers to take control of the router, intercept network traffic, and pivot to internal systems.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats remain possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details exist for internet-facing devices.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch exists as this product is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers in separate VLANs with strict firewall rules to limit attack surface.

Access Control Lists

all

Implement network ACLs to restrict access to the vulnerable web interface port (typically TCP 80/443).

🧯 If You Can't Patch

  • Immediately replace affected D-Link DIR-619L routers with supported hardware from any vendor.
  • If replacement is delayed, isolate the router from critical networks and disable remote administration features.

🔍 How to Verify

Check if Vulnerable:

Check router web interface for firmware version 2.06B01 or examine device label for model DIR-619L.

Check Version:

Access router web interface at http://[router-ip] and check firmware version in status/system pages.

Verify Fix Applied:

Verify device has been physically replaced with supported hardware or removed from network.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/formWlSiteSurvey with manipulated curTime parameter
  • Multiple failed exploitation attempts

Network Indicators:

  • Unusual outbound connections from router IP
  • Traffic patterns suggesting router compromise

SIEM Query:

source_ip="router_ip" AND (url_path="/goform/formWlSiteSurvey" OR method="POST")

📊 Metadata

CVE ID: CVE-2025-6373
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.11% exploit probability (29.9th percentile)
Published: June 21, 2025
Last Updated: June 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6373, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)