Cyber Resilience

CVE-2025-2620

CriticalPublic PoC

Published: 22 March 2025

Published
22 March 2025
Modified
26 March 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2640 96.4th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2620 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1620 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Deeper analysis

A critical stack-based buffer overflow vulnerability, tracked as CVE-2025-2620 and assigned CWE-119, CWE-121, and CWE-787, affects the mod_graph_auth_uri_handler function in the /storage file of the Authentication Handler component in D-Link DAP-1620 firmware version 1.03. The flaw arises from improper input handling that allows an attacker to overflow a stack buffer, and the issue is present only in a product line that D-Link no longer supports.

An unauthenticated remote attacker can trigger the vulnerability over the network without user interaction, achieving full control over the confidentiality, integrity, and availability of the affected device. Public exploit code has already been disclosed, enabling straightforward weaponization against exposed units.

The referenced advisories and the vendor site confirm that the DAP-1620 is end-of-life, with no patches or firmware updates expected; operators are therefore advised to retire or isolate the hardware.

EPSS scores for the CVE rose from a low baseline to a recorded peak of 0.3561 before settling at the current value of 0.2640, indicating measurable post-disclosure exploitation interest that warrants renewed attention for any remaining deployments.

EU & UK References

Vulnerability details

A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. This vulnerability affects the function mod_graph_auth_uri_handler of the file /storage of the component Authentication Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated…

more

remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote stack-based buffer overflow in the web authentication handler (/storage mod_graph_auth_uri_handler) enables exploitation of a public-facing application for initial access or remote code execution (T1190, T1210) and denial-of-service via device crash (T1499.004).

CVEs Like This One

CVE-2025-2621Same product: Dlink Dap-1620
CVE-2025-2619Same product: Dlink Dap-1620
CVE-2025-2618Same product: Dlink Dap-1620
CVE-2025-1539Same vendor: Dlink
CVE-2025-8168Same vendor: Dlink
CVE-2026-4184Same vendor: Dlink
CVE-2026-4181Same vendor: Dlink
CVE-2026-4183Same vendor: Dlink
CVE-2026-5212Same vendor: Dlink
CVE-2025-10779Same vendor: Dlink

Affected Assets

dlink
dap-1620 firmware
1.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to identify and manage unsupported system components like the end-of-life D-Link DAP-1620 to prevent exploitation of unpatched stack-based buffer overflows.

prevent

Mandates timely flaw remediation processes that necessitate isolating or retiring unpatchable EOL devices affected by this remote buffer overflow vulnerability.

prevent

Implements boundary protections to restrict remote network access to the vulnerable unauthenticated authentication handler, blocking exploitation attempts.

References