CVE-2025-15193
Published: 29 December 2025
Summary
CVE-2025-15193 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M920 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents buffer overflow exploitation by validating and sanitizing the submit-url argument in the formParentControl function.
Ensures timely identification, reporting, and patching of the specific buffer overflow flaw in D-Link DWR-M920 firmware up to 1.1.50.
Mitigates successful exploitation of the buffer overflow through memory protections such as ASLR and non-executable memory segments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the remotely accessible web interface (/boafrm/formParentControl) of the D-Link DWR-M920 router enables remote code execution, facilitating exploitation of a public-facing application.
NVD Description
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried out remotely. The exploit…
more
is now public and may be used.
Deeper analysisAI
CVE-2025-15193 is a buffer overflow vulnerability affecting D-Link DWR-M920 routers running firmware versions up to 1.1.50. The issue resides in the function sub_423848 within the file /boafrm/formParentControl, where manipulation of the submit-url argument triggers the overflow. Classified under CWE-119 and CWE-120, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability enables remote exploitation by attackers who possess low privileges, such as authenticated users on the device. By crafting and submitting a malicious submit-url argument, an attacker can trigger the buffer overflow, potentially leading to arbitrary code execution, data compromise, or denial of service, given the high confidentiality, integrity, and availability impacts outlined in the CVSS vector.
References, including GitHub repositories detailing the vulnerability and a proof-of-concept exploit at https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md and https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md#poc, as well as VulDB entries at https://vuldb.com/?ctiid.338578, https://vuldb.com/?id.338578, and https://vuldb.com/?submit.723556, confirm the exploit is public and available for use. No specific patch or mitigation details are provided in the available information.
Details
- CWE(s)