CVE-2025-2621

CriticalPublic PoC

Published: 22 March 2025

Published

22 March 2025

Modified

26 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2621 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dap-1620 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported, end-of-life system components like the D-Link DAP-1620 with unpatchable stack-based buffer overflow vulnerabilities.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries and ASLR that directly mitigate stack-based buffer overflow exploitation in vulnerable firmware.

SI-10 Information Input Validation good match

prevent

Enforces validation of inputs like the uid argument to prevent manipulation leading to improper memory buffer operations and overflows.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated stack-based buffer overflow in the D-Link DAP-1620 web interface (/storage/check_dws_cookie via uid parameter) enables exploitation of a public-facing application and remote services, facilitating remote code execution.

NVD Description

A vulnerability was found in D-Link DAP-1620 1.03 and classified as critical. This issue affects the function check_dws_cookie of the file /storage. The manipulation of the argument uid leads to stack-based buffer overflow. The attack may be initiated remotely. The…

exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-2621 is a critical stack-based buffer overflow vulnerability in the check_dws_cookie function within the /storage file of D-Link DAP-1620 version 1.03. It is triggered by manipulation of the uid argument and is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The issue carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility with low complexity and no required privileges or user interaction.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges (AV:N/AC:L/PR:N/UI:N), potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation allows arbitrary code execution via the buffer overflow, enabling full system compromise on affected devices.

Advisories from sources like VulDB indicate that the vulnerability affects only D-Link DAP-1620 products no longer supported by the manufacturer, with no patches available. The D-Link website provides general product information but no specific mitigation for this issue. Security practitioners should isolate or decommission affected devices, as referenced in VulDB entries and a detailed Notion disclosure.

The exploit has been publicly disclosed and may be actively used, increasing risks for unpatched, end-of-life deployments.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dap-1620 firmware

1.03

CVEs Like This One

CVE-2025-2620Same product: Dlink Dap-1620

CVE-2025-2619Same product: Dlink Dap-1620

CVE-2025-2618Same product: Dlink Dap-1620

CVE-2025-1539Same vendor: Dlink

CVE-2025-8159Same vendor: Dlink

CVE-2026-5213Same vendor: Dlink

CVE-2026-4211Same vendor: Dlink

CVE-2025-10779Same vendor: Dlink

CVE-2025-8184Same vendor: Dlink

CVE-2026-4184Same vendor: Dlink

References

https://vuldb.com/?ctiid.300623
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.300623
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.518980
Third Party Advisory, VDB Entry · cna@vuldb.com
https://witty-maiasaura-083.notion.site/D-link-DAP-1620-check_dws_uid-Vulnerability-1b4b2f2a63618025b049f6e62a1835c0
Exploit, Third Party Advisory · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com
https://witty-maiasaura-083.notion.site/D-link-DAP-1620-check_dws_uid-Vulnerability-1b4b2f2a63618025b049f6e62a1835c0
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0