CVE-2025-8168
Published: 25 July 2025
Summary
CVE-2025-8168 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-513. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates manipulated inputs like the curTime argument in the web form to prevent buffer overflow exploitation.
Provides memory protections such as address space layout randomization and data execution prevention to mitigate buffer overflow leading to arbitrary code execution.
Prohibits use of unsupported system components like the end-of-support D-Link DIR-513 router, eliminating exposure to unpatchable vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow in web management interface (/goform/formSetWanPPPoE) enables exploitation of public-facing application (T1190), exploitation of remote services for potential RCE/shell (T1210), and DoS via application exploitation (T1499.004).
NVD Description
A vulnerability was found in D-Link DIR-513 1.10. It has been rated as critical. Affected by this issue is the function websAspInit of the file /goform/formSetWanPPPoE. The manipulation of the argument curTime leads to buffer overflow. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-8168 is a critical buffer overflow vulnerability (CVSS 3.1 score of 8.8) affecting D-Link DIR-513 router firmware version 1.10. The flaw exists in the websAspInit function of the /goform/formSetWanPPPoE file, where manipulation of the curTime argument triggers the overflow. It is associated with CWEs 119, 120, and 787.
The vulnerability enables remote exploitation by attackers possessing low privileges (PR:L), with low attack complexity (AC:L) and no requirement for user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or denial of service on the affected device.
Advisories from VulDB indicate that the exploit has been publicly disclosed, with details and a proof-of-concept available in a GitHub repository focused on the DIR-513. The D-Link DIR-513 is no longer supported by the vendor, so no patches or official mitigations are provided; affected devices should be decommissioned or isolated from networks.
This vulnerability only impacts end-of-support products, and real-world exploitation may occur given the public disclosure of the exploit.
Details
- CWE(s)