Cyber Resilience

CVE-2025-25742

CriticalPublic PoC

Published: 12 February 2025

Published
12 February 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0404 88.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25742 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Dlink Dir-853 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

D-Link DIR-853 A1 firmware version FW1.20B07 contains a stack-based buffer overflow vulnerability in the SetSysEmailSettings module, triggered by the AccountPassword parameter. The flaw is tracked as CVE-2025-25742 with CWE-787 and carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send a crafted HTTP request containing an oversized AccountPassword value to trigger the overflow. Successful exploitation grants the attacker the ability to execute arbitrary code, resulting in complete compromise of the device's confidentiality, integrity, and availability.

The single reference is a third-party disclosure note; it contains no vendor advisory, patch information, or mitigation steps. The associated EPSS values have remained low and stable since publication.

EU & UK References

Vulnerability details

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the AccountPassword parameter in the SetSysEmailSettings module.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The unauthenticated remote stack-based buffer overflow in the public-facing SetSysEmailSettings module of the D-Link router directly enables arbitrary code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25746Same product: Dlink Dir-853
CVE-2025-25744Same product: Dlink Dir-853
CVE-2025-25745Same product: Dlink Dir-853
CVE-2025-25743Same product: Dlink Dir-853
CVE-2025-70239Same vendor: Dlink
CVE-2025-55611Same vendor: Dlink
CVE-2025-70234Same vendor: Dlink
CVE-2025-70237Same vendor: Dlink
CVE-2025-70240Same vendor: Dlink
CVE-2025-70245Same vendor: Dlink

Affected Assets

dlink
dir-853 firmware
1.20b07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces bounds checking and input validation on parameters like AccountPassword to prevent stack-based buffer overflows in the SetSysEmailSettings module.

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of stack-based buffer overflows leading to arbitrary code execution.

prevent

Requires timely identification, reporting, and patching of flaws like this buffer overflow via firmware updates for the D-Link DIR-853 router.

References