CVE-2025-2620
Published: 22 March 2025
Summary
CVE-2025-2620 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1620 Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).
Deeper analysis
A critical stack-based buffer overflow vulnerability, tracked as CVE-2025-2620 and assigned CWE-119, CWE-121, and CWE-787, affects the mod_graph_auth_uri_handler function in the /storage file of the Authentication Handler component in D-Link DAP-1620 firmware version 1.03. The flaw arises from improper input handling that allows an attacker to overflow a stack buffer, and the issue is present only in a product line that D-Link no longer supports.
An unauthenticated remote attacker can trigger the vulnerability over the network without user interaction, achieving full control over the confidentiality, integrity, and availability of the affected device. Public exploit code has already been disclosed, enabling straightforward weaponization against exposed units.
The referenced advisories and the vendor site confirm that the DAP-1620 is end-of-life, with no patches or firmware updates expected; operators are therefore advised to retire or isolate the hardware.
EPSS scores for the CVE rose from a low baseline to a recorded peak of 0.3561 before settling at the current value of 0.2640, indicating measurable post-disclosure exploitation interest that warrants renewed attention for any remaining deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7274
Vulnerability details
A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. This vulnerability affects the function mod_graph_auth_uri_handler of the file /storage of the component Authentication Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote stack-based buffer overflow in the web authentication handler (/storage mod_graph_auth_uri_handler) enables exploitation of a public-facing application for initial access or remote code execution (T1190, T1210) and denial-of-service via device crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires organizations to identify and manage unsupported system components like the end-of-life D-Link DAP-1620 to prevent exploitation of unpatched stack-based buffer overflows.
Mandates timely flaw remediation processes that necessitate isolating or retiring unpatchable EOL devices affected by this remote buffer overflow vulnerability.
Implements boundary protections to restrict remote network access to the vulnerable unauthenticated authentication handler, blocking exploitation attempts.