Cyber Resilience

CVE-2025-1538

HighPublic PoC

Published: 21 February 2025

Published
21 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 38.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1538 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1320 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1538 is a critical heap-based buffer overflow vulnerability (CWE-119, CWE-122, CWE-787) in the set_ws_action function of the /dws/api/ component within D-Link DAP-1320 firmware version 1.00. Published on 2025-02-21, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to network accessibility and potential for significant impact.

The vulnerability can be exploited remotely by attackers with low privileges, requiring no user interaction and low attack complexity. Successful exploitation enables high-level compromise of confidentiality, integrity, and availability, such as arbitrary code execution via the buffer overflow. An exploit has been publicly disclosed and may be used against vulnerable devices.

Advisories note that the vulnerability affects products no longer supported by the maintainer, with no patches available. References include the D-Link legacy product page, VulDB entries detailing the issue (ctiid.296479 and id.296479), and a Notion site providing exploit information for the D-Link DAP-1320 set_ws_action vulnerability.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in D-Link DAP-1320 1.00. Affected by this vulnerability is the function set_ws_action of the file /dws/api/. The manipulation leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been…

more

disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap buffer overflow in remotely accessible /dws/api/ endpoint directly enables remote exploitation of a public-facing application for arbitrary code execution and initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1539Same product: Dlink Dap-1320
CVE-2026-4184Same vendor: Dlink
CVE-2026-4181Same vendor: Dlink
CVE-2026-4183Same vendor: Dlink
CVE-2026-5212Same vendor: Dlink
CVE-2025-10779Same vendor: Dlink
CVE-2025-1876Same vendor: Dlink
CVE-2026-4211Same vendor: Dlink
CVE-2025-8184Same vendor: Dlink
CVE-2026-5213Same vendor: Dlink

Affected Assets

dlink
dap-1320 firmware
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits or requires mitigations for unsupported system components like the EOL D-Link DAP-1320 firmware vulnerable to this critical heap buffer overflow.

prevent

Requires validation of inputs to the set_ws_action API function to prevent heap-based buffer overflows from malformed data.

prevent

Implements memory safeguards such as ASLR and DEP to protect against exploitation of the heap buffer overflow even if invalid inputs are processed.

References