CVE-2025-15189
Published: 29 December 2025
Summary
CVE-2025-15189 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M920 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow flaw in sub_464794 by identifying, reporting, and applying firmware patches or updates for D-Link DWR-M920 up to 1.1.50.
Requires validation of the submit-url argument's length and content in /boafrm/formDefRoute to prevent buffer overflow from malformed remote inputs.
Implements memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow in sub_464794 is triggered.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the web interface (/boafrm/formDefRoute) of the D-Link DWR-M920 router via 'submit-url' parameter enables remote exploitation of a public-facing application.
NVD Description
A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly…
more
available and might be used.
Deeper analysisAI
CVE-2025-15189 is a buffer overflow vulnerability in D-Link DWR-M920 routers running firmware versions up to 1.1.50. The issue affects the sub_464794 function in the /boafrm/formDefRoute file, where manipulation of the submit-url argument triggers the overflow. Published on 2025-12-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-120.
The vulnerability enables remote exploitation by attackers with low privileges, requiring no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or denial of service on affected devices.
Advisories and references, including GitHub proof-of-concept exploits at https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md and VULDB entries at https://vuldb.com/?ctiid.338574, document the issue but do not specify patches or mitigations. The exploit is publicly available and might be used.
A publicly available exploit underscores the risk of active exploitation against unpatched D-Link DWR-M920 devices.
Details
- CWE(s)