CVE-2025-25744
Published: 12 February 2025
Summary
CVE-2025-25744 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Dlink Dir-853 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires bounds checking and validation of the Password parameter in the SetDynamicDNSSettings module to directly prevent the stack-based buffer overflow.
SI-16 implements memory safeguards like stack canaries and DEP to protect against exploitation of the stack-based buffer overflow for arbitrary code execution.
SI-2 mandates timely flaw remediation via firmware patching to eliminate the buffer overflow vulnerability in DIR-853 FW1.20B07.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the unauthenticated SetDynamicDNSSettings web endpoint on the public-facing router directly enables T1190 (Exploit Public-Facing Application) for remote arbitrary code execution.
NVD Description
D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetDynamicDNSSettings module.
Deeper analysisAI
CVE-2025-25744 is a stack-based buffer overflow vulnerability (CWE-787) in the D-Link DIR-853 router, specifically affecting firmware version A1 FW1.20B07. The flaw resides in the SetDynamicDNSSettings module, where insufficient bounds checking on the Password parameter allows an attacker to overwrite the stack with malicious input. This issue was published on 2025-02-12 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
An unauthenticated attacker with network access to the vulnerable router can exploit this flaw remotely with low complexity and no user interaction required. By sending a specially crafted request to the SetDynamicDNSSettings endpoint, the attacker can trigger the buffer overflow, leading to arbitrary code execution, data corruption, or denial of service. Successful exploitation grants high-impact privileges, enabling full control over the device, including confidentiality breaches, integrity violations, and availability disruptions.
Further details, including potential mitigation steps, are documented in the advisory at https://dear-sunshine-ba5.notion.site/D-Link-DIR-853-4-1812386a664480378626cc13b98e18f5.
Details
- CWE(s)