Cyber Resilience

CVE-2025-15190

HighPublic PoC

Published: 29 December 2025

Published
29 December 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 48.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15190 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M920 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-15190 is a stack-based buffer overflow vulnerability affecting D-Link DWR-M920 router firmware versions up to 1.1.50. The flaw resides in the function sub_42261C within the file /boafrm/formFilter, where manipulation of the ip6addr argument triggers the overflow. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity and low privileges required, without user interaction. An attacker with low privileges can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution via the buffer overflow.

References point to GitHub repositories under panda666-888/vuls detailing the D-Link DWR-M920 formFilter vulnerability, including a proof-of-concept exploit. VulDB entries (ctiid.338575, id.338575, submit.723553) document the issue, but no vendor advisories or specific patches are mentioned.

The exploit has been publicly released, enabling potential immediate exploitation in the wild. The vulnerability was published on 2025-12-29.

EU & UK References

Vulnerability details

A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit…

more

has been released to the public and may be exploited.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the web management interface (/boafrm/formFilter) of D-Link DWR-M920 router allows remote exploitation of a public-facing application for initial access.

CVEs Like This One

CVE-2025-13553Same product: Dlink Dwr-M920
CVE-2025-15193Same product: Dlink Dwr-M920
CVE-2025-15189Same product: Dlink Dwr-M920
CVE-2025-15192Same product: Dlink Dwr-M920
CVE-2025-13550Same product: Dlink Dwr-M920
CVE-2025-13552Same product: Dlink Dwr-M920
CVE-2025-13551Same product: Dlink Dwr-M920
CVE-2025-15191Same product: Dlink Dwr-M920
CVE-2026-2856Same vendor: Dlink
CVE-2026-2927Same vendor: Dlink

Affected Assets

dlink
dwr-m920 firmware
≤ 1.1.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the stack-based buffer overflow by validating the ip6addr argument in the formFilter function to ensure it conforms to expected IPv6 format and length bounds.

prevent

Implements memory protections such as stack canaries, ASLR, and non-executable stacks to block exploitation of the buffer overflow even if invalid input reaches the vulnerable function.

preventrecover

Requires timely identification, reporting, and patching of the known firmware flaw in D-Link DWR-M920 up to version 1.1.50 to eliminate the vulnerability.

References