CVE-2025-2620

CriticalPublic PoC

Published: 22 March 2025

Published

22 March 2025

Modified

26 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2640 96.4th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2620 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1620 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Directly requires organizations to identify and manage unsupported system components like the end-of-life D-Link DAP-1620 to prevent exploitation of unpatched stack-based buffer overflows.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation processes that necessitate isolating or retiring unpatchable EOL devices affected by this remote buffer overflow vulnerability.

SC-7 Boundary Protection good match

prevent

Implements boundary protections to restrict remote network access to the vulnerable unauthenticated authentication handler, blocking exploitation attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Unauthenticated remote stack-based buffer overflow in the web authentication handler (/storage mod_graph_auth_uri_handler) enables exploitation of a public-facing application for initial access or remote code execution (T1190, T1210) and denial-of-service via device crash (T1499.004).

NVD Description

A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. This vulnerability affects the function mod_graph_auth_uri_handler of the file /storage of the component Authentication Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated…

remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-2620 is a critical stack-based buffer overflow vulnerability (CVSS 3.1 score of 9.8) affecting the D-Link DAP-1620 wireless access point in version 1.03. The flaw resides in the mod_graph_auth_uri_handler function within the /storage file of the Authentication Handler component, linked to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). Published on March 22, 2025, it allows remote manipulation without authentication.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation grants high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), potentially enabling arbitrary code execution, data theft, or device takeover on affected devices.

Advisories from VulDB indicate no patches are available, as the D-Link DAP-1620 is no longer supported by the manufacturer; mitigation requires isolating or retiring vulnerable devices. The exploit has been publicly disclosed and may be actively used, per references including VulDB entries and a detailed Notion write-up.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dap-1620 firmware

1.03

CVEs Like This One

CVE-2025-2621Same product: Dlink Dap-1620

CVE-2025-2619Same product: Dlink Dap-1620

CVE-2025-2618Same product: Dlink Dap-1620

CVE-2025-1539Same vendor: Dlink

CVE-2025-8168Same vendor: Dlink

CVE-2025-8159Same vendor: Dlink

CVE-2026-5213Same vendor: Dlink

CVE-2026-4211Same vendor: Dlink

CVE-2025-10779Same vendor: Dlink

CVE-2025-8184Same vendor: Dlink

References

https://vuldb.com/?ctiid.300622
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.300622
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.518969
Third Party Advisory, VDB Entry · cna@vuldb.com
https://witty-maiasaura-083.notion.site/D-link-DAP-1620-mod_graph_auth_uri_handler-Vulnerability-1afb2f2a6361809ea7f2dc4df3b85f1f
Exploit, Third Party Advisory · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com
https://witty-maiasaura-083.notion.site/D-link-DAP-1620-mod_graph_auth_uri_handler-Vulnerability-1afb2f2a6361809ea7f2dc4df3b85f1f
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0