Login Sign Up

CVE-2025-8169

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical buffer overflow vulnerability in D-Link DIR-513 routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests. This affects the formSetWanPPTPcallback function and can be exploited without authentication. Only unsupported legacy devices running version 1.10 are vulnerable.

💻 Affected Systems

Products:
  • D-Link DIR-513
Versions: 1.10
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects end-of-life products with no vendor support. All devices running this firmware version are vulnerable.

📦 What is this software?

Dir 513 Firmware by Dlink

View all CVEs affecting Dir 513 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, network infiltration, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic interception, credential theft, and use as attack platform against internal networks.

🟢

If Mitigated

Limited impact if device is isolated behind firewalls with strict inbound filtering, though lateral movement risk remains.

🌐 Internet-Facing: HIGH - Directly accessible routers can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit if device is reachable on local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available. Attack requires sending crafted HTTP POST to /goform/formSetWanPPTPpath with manipulated curTime parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch exists as product is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Network Isolation

all

Place router behind firewall with strict inbound filtering to block external access to web interface.

Disable Remote Management

all

Turn off remote administration features if enabled in router settings.

🧯 If You Can't Patch

  • Immediately replace affected routers with supported models
  • Segment network to isolate vulnerable devices and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or using nmap scan for device identification.

Check Version:

curl -s http://192.168.0.1/ | grep -i 'firmware' or check web interface System Status page

Verify Fix Applied:

Verify replacement with supported hardware or successful network isolation measures.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/formSetWanPPTPpath
  • Multiple failed buffer overflow attempts in system logs

Network Indicators:

  • HTTP traffic to router on port 80 with large curTime parameters
  • Unusual outbound connections from router

SIEM Query:

source_ip=router_ip AND (url_path="/goform/formSetWanPPTPpath" OR method="POST")

📊 Metadata

CVE ID: CVE-2025-8169
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.23% exploit probability (45th percentile)
Published: July 25, 2025
Last Updated: July 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8169, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)