Cyber Resilience

CVE-2025-7206

HighPublic PoC

Published: 09 July 2025

Published
09 July 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0295 86.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7206 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-825 Firmware. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SA-22 (Unsupported System Components).

Deeper analysis

A critical stack-based buffer overflow vulnerability, tracked as CVE-2025-7206 and assigned CWE-119 and CWE-121, affects the D-Link DIR-825 router running firmware version 2.10. The issue resides in the sub_410DDC function of switch_language.cgi within the httpd component, where unsanitized input to the Language argument can corrupt the stack.

An unauthenticated attacker can trigger the flaw over the network without user interaction, achieving full compromise of confidentiality, integrity, and availability on the device. The CVSS 4.0 score of 8.9 reflects this remote attack surface, and a working exploit has already been published.

The affected product line is no longer supported by D-Link, so no official patches are expected; the vendor's site and public disclosures simply reiterate end-of-life status. The associated EPSS score remains flat at 0.0295 with no material increase since publication.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in D-Link DIR-825 2.10. This issue affects the function sub_410DDC of the file switch_language.cgi of the component httpd. The manipulation of the argument Language leads to stack-based buffer overflow. The…

more

attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in public-facing router web CGI (httpd/switch_language.cgi) enables remote unauthenticated RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-8949Same product: Dlink Dir-825
CVE-2025-10034Same product: Dlink Dir-825
CVE-2025-10666Same product: Dlink Dir-825
CVE-2025-7909Same vendor: Dlink
CVE-2026-7851Same vendor: Dlink
CVE-2025-7762Same vendor: Dlink
CVE-2025-15194Same vendor: Dlink
CVE-2025-13191Same vendor: Dlink
CVE-2026-2856Same vendor: Dlink
CVE-2026-4529Same vendor: Dlink

Affected Assets

dlink
dir-825 firmware
2.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces boundary protections such as firewalls to block remote network access to the vulnerable httpd service on internet-exposed D-Link DIR-825 routers.

prevent

Restricts router functionality by prohibiting or disabling unnecessary exposure of the vulnerable web management interface (switch_language.cgi).

prevent

Prohibits or isolates the use of unsupported end-of-life components like the unpatchable D-Link DIR-825 firmware version 2.10.

References