Cyber Resilience

CVE-2025-10779

HighPublic PoC

Published: 22 September 2025

Published
22 September 2025
Modified
25 September 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 57.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10779 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dcs-935L Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-10779 is a stack-based buffer overflow vulnerability affecting D-Link DCS-935L firmware versions up to 1.13.01. The flaw exists in the sub_402280 function within the /HNAP1/ file and is triggered by manipulating the HNAP_AUTH/SOAPAction argument. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

The vulnerability enables remote exploitation over the network by an attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Per its CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful exploitation grants high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution. A public exploit is available for use.

Advisories note that the vulnerability exclusively impacts products no longer supported by the maintainer, with no patches available. Relevant references include detailed analyses on GitHub (scanleale/IOT_sec repositories) and VulDB entries (ctiid.325135, id.325135, submit.653690), which document the issue but do not specify mitigations beyond device replacement or isolation.

An exploit has been publicly disclosed, increasing the risk for exposed, end-of-support devices.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DCS-935L up to 1.13.01. The impacted element is the function sub_402280 of the file /HNAP1/. The manipulation of the argument HNAP_AUTH/SOAPAction results in stack-based buffer overflow. The attack may be launched remotely. The exploit…

more

has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the HNAP service (/HNAP1/ sub_402280) of the public-facing D-Link DCS-935L camera enables remote code execution, directly facilitating exploitation of a public-facing application.

CVEs Like This One

CVE-2026-8260Same product: Dlink Dcs-935L
CVE-2026-4184Same vendor: Dlink
CVE-2026-4181Same vendor: Dlink
CVE-2026-4183Same vendor: Dlink
CVE-2026-5212Same vendor: Dlink
CVE-2025-1876Same vendor: Dlink
CVE-2026-4211Same vendor: Dlink
CVE-2025-8184Same vendor: Dlink
CVE-2026-5213Same vendor: Dlink
CVE-2026-4182Same vendor: Dlink

Affected Assets

dlink
dcs-935l firmware
≤ 1.13.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits or applies safeguards to unsupported end-of-life components like the D-Link DCS-935L with no patches available for this buffer overflow vulnerability.

prevent

Provides memory protections such as DEP, ASLR, and stack canaries to prevent exploitation of stack-based buffer overflows triggered by malformed HNAP_AUTH/SOAPAction inputs.

prevent

Enforces boundary protection to block remote network access to the vulnerable /HNAP1/ endpoint, mitigating low-privilege remote exploitation.

References