Cyber Resilience

CVE-2025-7909

HighPublic PoC

Published: 20 July 2025

Published
20 July 2025
Modified
25 July 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0198 84.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7909 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-513 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability rated critical was identified in the D-Link DIR-513 1.0 router. It resides in the sprintf function of the /goform/formLanSetupRouterSettings endpoint within the Boa Webserver component, where manipulation of the curTime argument produces a stack-based buffer overflow. The flaw is tracked as CVE-2025-7909 with CVSS 7.4 and is associated with CWE-119 and CWE-121; it affects only an end-of-life product no longer supported by the vendor.

An authenticated remote attacker can send a crafted HTTP request that overflows the stack buffer, enabling arbitrary code execution or a crash of the web server process. Public exploit code has been released, and the attack requires no user interaction beyond network reachability to the management interface.

The EPSS score has remained flat at 0.0198 with no material rise after disclosure. Available references include a detailed proof-of-concept on GitHub, entries in the VulDB database, and the vendor homepage confirming the unsupported status of the DIR-513.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DIR-513 1.0. It has been rated as critical. Affected by this issue is the function sprintf of the file /goform/formLanSetupRouterSettings of the component Boa Webserver. The manipulation of the argument curTime leads to stack-based…

more

buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in public-facing Boa webserver form allows remote authenticated RCE on network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7910Same product: Dlink Dir-513
CVE-2026-3978Same product: Dlink Dir-513
CVE-2025-8184Same product: Dlink Dir-513
CVE-2025-8159Same product: Dlink Dir-513
CVE-2025-70232Same product: Dlink Dir-513
CVE-2025-70219Same product: Dlink Dir-513
CVE-2025-70225Same product: Dlink Dir-513
CVE-2025-70246Same product: Dlink Dir-513
CVE-2025-70220Same product: Dlink Dir-513
CVE-2025-70242Same product: Dlink Dir-513

Affected Assets

dlink
dir-513 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses use of end-of-life unsupported devices like the D-Link DIR-513 by requiring disablement or removal to eliminate unpatched buffer overflow risks.

prevent

Provides memory protections like stack canaries and non-executable memory to block exploitation of stack-based buffer overflows even if triggered.

prevent

Enforces input validation for parameters like curTime to prevent buffer overflows from unsanitized data passed to unsafe functions such as sprintf.

References