Cyber Resilience

CVE-2025-2619

CriticalPublic PoC

Published: 22 March 2025

Published
22 March 2025
Modified
26 March 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 58.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2619 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1620 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-2619 is a critical stack-based buffer overflow vulnerability (CVSS 3.1 score of 9.8) affecting the D-Link DAP-1620 wireless access point running firmware version 1.03. The issue resides in the check_dws_cookie function within the /storage file of the Cookie Handler component, linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). Manipulation of the cookie handler triggers the overflow, and it impacts only products that are no longer supported by the maintainer.

The vulnerability enables remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N/S:U), allowing unauthenticated attackers anywhere on the network to send crafted requests to the affected component. Successful exploitation can result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially leading to arbitrary code execution, data disclosure, or device denial of service.

Advisories from sources like VulDB indicate no patches or mitigations are available, as the D-Link DAP-1620 is end-of-support. The exploit has been publicly disclosed, including details on VulDB and a Notion site, increasing the risk of active use against exposed, unpatched devices. Security practitioners should isolate or decommission affected hardware and monitor for anomalous traffic targeting the Cookie Handler.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in D-Link DAP-1620 1.03. This affects the function check_dws_cookie of the file /storage of the component Cookie Handler. The manipulation leads to stack-based buffer overflow. It is possible to initiate the…

more

attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated stack-based buffer overflow in the cookie handler of a public-facing wireless access point directly enables exploitation of a public-facing application (T1190) for initial access and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2621Same product: Dlink Dap-1620
CVE-2025-2620Same product: Dlink Dap-1620
CVE-2025-2618Same product: Dlink Dap-1620
CVE-2026-4184Same vendor: Dlink
CVE-2026-4181Same vendor: Dlink
CVE-2026-4183Same vendor: Dlink
CVE-2026-5212Same vendor: Dlink
CVE-2025-10779Same vendor: Dlink
CVE-2025-1876Same vendor: Dlink
CVE-2026-4211Same vendor: Dlink

Affected Assets

dlink
dap-1620 firmware
1.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits the use of end-of-support system components like the D-Link DAP-1620, preventing exposure to unpatchable critical vulnerabilities.

prevent

Requires risk-based remediation of identified flaws such as this stack-based buffer overflow, leading to patching, isolation, or decommissioning of affected devices.

prevent

Implements memory protection safeguards like stack canaries, ASLR, and NX bits to mitigate stack-based buffer overflow exploits and unauthorized code execution.

References