Cyber Posture

CVE-2025-7194

HighPublic PoC

Published: 08 July 2025

Published
08 July 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0076 73.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7194 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Di-500Wf Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires input validation on the 'ip' argument in ip_position.asp, directly preventing the stack-based buffer overflow from unsafe sprintf usage.

SI-16 Memory Protection good match
prevent

SI-16 implements memory protections like stack canaries and non-executable stacks, mitigating the impact of the stack buffer overflow even if triggered.

SI-2 Flaw Remediation good match
preventrecover

SI-2 mandates timely flaw remediation, including patching the sprintf vulnerability in the jhttpd component of the D-Link firmware.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Stack-based buffer overflow in public-facing jhttpd web server component directly enables remote code execution via exploitation of an Internet-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in D-Link DI-500WF 17.04.10A1T. It has been declared as critical. Affected by this vulnerability is the function sprintf of the file ip_position.asp of the component jhttpd. The manipulation of the argument ip leads to stack-based buffer…

more

overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-7194 is a critical stack-based buffer overflow vulnerability affecting the D-Link DI-500WF wireless router on firmware version 17.04.10A1T. The flaw resides in the sprintf function within the ip_position.asp file of the jhttpd web server component. Manipulation of the "ip" argument triggers the overflow, as documented with CWEs CWE-119 and CWE-121.

The vulnerability enables remote exploitation over the network with low complexity and low privileges required (PR:L), without user interaction (CVSS:3.1 score of 8.8; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.

Advisories from VulDB (ctiid.315133, id.315133, submit.607311) and the D-Link website provide additional details on the issue. An exploit has been publicly disclosed on GitHub (BigMancer/CVE/issues/1) and may be used by attackers.

Details

CWE(s)
CWE-119CWE-121

Affected Products

dlink
di-500wf firmware
17.04.10a1t

CVEs Like This One

CVE-2026-7851Same vendor: Dlink
CVE-2026-3978Same vendor: Dlink
CVE-2025-7911Same vendor: Dlink
CVE-2025-7909Same vendor: Dlink
CVE-2026-2927Same vendor: Dlink
CVE-2025-13188Same vendor: Dlink
CVE-2025-7206Same vendor: Dlink
CVE-2025-13189Same vendor: Dlink
CVE-2026-4529Same vendor: Dlink
CVE-2026-2857Same vendor: Dlink

References