CVE-2025-13191
Published: 15 November 2025
Summary
CVE-2025-13191 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-816L Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits use of end-of-support components like the D-Link DIR-816L, directly eliminating exposure to this unpatchable stack buffer overflow vulnerability.
Requires identification, prioritization, and remediation of flaws like CVE-2025-13191, mandating replacement or isolation for unsupported systems lacking patches.
Implements memory protections such as stack canaries and non-executable stacks that directly prevent exploitation of stack-based buffer overflows in soapcgi_main.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing /soap.cgi endpoint on the D-Link DIR-816L router enables remote code execution via exploitation of a public-facing application.
NVD Description
A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta. This issue affects the function soapcgi_main of the file /soap.cgi. This manipulation causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may…
more
be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-13191 is a stack-based buffer overflow vulnerability affecting the soapcgi_main function in the /soap.cgi file of the D-Link DIR-816L router running firmware version 2_06_b09_beta. This issue, linked to CWE-119 and CWE-121, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and impacts only products that are no longer supported by the maintainer.
The vulnerability enables remote exploitation by an attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution via the disclosed stack overflow.
Advisories from VulDB indicate no official patches are available due to end-of-support status for the affected D-Link DIR-816L devices. Mitigation recommendations focus on network isolation, replacement with supported hardware, or disabling the vulnerable soap.cgi endpoint if feasible. A proof-of-concept exploit is publicly available in a GitHub-hosted PDF document.
The exploit has been publicly disclosed and may be utilized, increasing risk for exposed, unpatched DIR-816L routers in active networks.
Details
- CWE(s)