CVE-2025-7206
Published: 09 July 2025
Summary
CVE-2025-7206 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-825 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SA-22 (Unsupported System Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces boundary protections such as firewalls to block remote network access to the vulnerable httpd service on internet-exposed D-Link DIR-825 routers.
Restricts router functionality by prohibiting or disabling unnecessary exposure of the vulnerable web management interface (switch_language.cgi).
Prohibits or isolates the use of unsupported end-of-life components like the unpatchable D-Link DIR-825 firmware version 2.10.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing router web CGI (httpd/switch_language.cgi) enables remote unauthenticated RCE.
NVD Description
A vulnerability, which was classified as critical, has been found in D-Link DIR-825 2.10. This issue affects the function sub_410DDC of the file switch_language.cgi of the component httpd. The manipulation of the argument Language leads to stack-based buffer overflow. The…
more
attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-7206 is a critical stack-based buffer overflow vulnerability affecting the D-Link DIR-825 router on firmware version 2.10. The flaw exists in the sub_410DDC function of the switch_language.cgi file within the httpd component, where manipulation of the Language argument triggers the overflow. Classified under CWE-119 and CWE-121, it received a CVSS v3.1 base score of 9.8 and was published on 2025-07-09.
The vulnerability enables remote exploitation with no authentication, privileges, or user interaction required (AV:N/AC:L/PR:N/UI:N), potentially allowing attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful attacks could result in arbitrary code execution, full device compromise, data exfiltration, or denial of service on vulnerable routers exposed to the internet.
Advisories from VulDB and a GitHub issue in i-Corner/cve detail the vulnerability and note that an exploit has been publicly disclosed and may be used. The affected products are no longer supported by D-Link, so no patches or firmware updates are available; mitigation relies on network segmentation, firewall rules to block access to the httpd service, or device retirement. The D-Link website provides general support information but no specific guidance for this issue.
Details
- CWE(s)