CVE-2025-13306

MediumPublic PoC

Published: 18 November 2025

Published

18 November 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0009 25.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13306 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dwr-M920 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of the specific command injection flaw in the /boafrm/formDebugDiagnosticRun function of vulnerable D-Link router firmware.

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by enforcing input validation and error handling on the untrusted 'host' argument at the vulnerable web endpoint.

CM-7 Least Functionality good match

prevent

CM-7 mitigates the vulnerability by configuring the router to provide only essential capabilities and prohibiting unnecessary debug diagnostic functions like formDebugDiagnosticRun.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in the router's web diagnostic form directly enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution on the network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible.…

The exploit has been disclosed publicly and may be used.

Deeper analysisAI

CVE-2025-13306 is a command injection vulnerability in D-Link routers, specifically the models DWR-M920, DWR-M921, DIR-822K, and DIR-825M running firmware version 1.1.5. The flaw affects the system function in the file /boafrm/formDebugDiagnosticRun, where manipulation of the 'host' argument enables command injection. Published on 2025-11-18, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs 74, 77, and 78.

The vulnerability allows remote exploitation over the network with low complexity and no user interaction required, but attackers need low privileges (PR:L). Successful attacks can result in low-level impacts to confidentiality, integrity, and availability through injected commands.

Advisories and further details are available at https://github.com/LX-LX88/cve/issues/15, https://vuldb.com/?ctiid.332646, https://vuldb.com/?id.332646, https://vuldb.com/?submit.691813, and https://vuldb.com/?submit.693805. The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s): CWE-74 CWE-77 CWE-78

Affected Products

dlink

dwr-m920 firmware

1.1.5

dlink

dwr-m921 firmware

1.1.50

dlink

dir-822k firmware

tk_1.00_20250513164613

dlink

dir-825m firmware

1.1.12

CVEs Like This One

CVE-2025-15191Same product: Dlink Dwr-M920

CVE-2026-0732Same vendor: Dlink

CVE-2026-4499Same vendor: Dlink

CVE-2026-1506Same vendor: Dlink

CVE-2026-1448Same vendor: Dlink

CVE-2026-1125Same vendor: Dlink

CVE-2026-2082Same vendor: Dlink

CVE-2026-5844Same vendor: Dlink

CVE-2026-2163Same vendor: Dlink

CVE-2025-13552Same product: Dlink Dir-822K

References

https://github.com/LX-LX88/cve/issues/15
Exploit, Third Party Advisory, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.332646
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.332646
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.691813
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.693805
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.693807
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.695426
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com
https://github.com/LX-LX88/cve/issues/15
Exploit, Third Party Advisory, Issue Tracking · 134c704f-9b21-4f2e-91b3-4a467353bcc0