CVE-2025-8184
Published: 26 July 2025
Summary
CVE-2025-8184 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-513. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflows by validating HTTP POST request inputs in the formSetWanL2TPcallback function.
Implements memory protections such as non-executable stacks and guard pages to mitigate exploitation of the stack-based buffer overflow.
Prohibits and requires removal of unsupported end-of-life components like the D-Link DIR-513 with no available patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's HTTP POST handler (formSetWanL2TPcallback) is directly exploitable over the network by an authenticated user, matching the definition of T1190 Exploit Public-Facing Application and enabling arbitrary code execution on the device.
NVD Description
A vulnerability was found in D-Link DIR-513 up to 1.10 and classified as critical. This issue affects the function formSetWanL2TPcallback of the file /goform/formSetWanL2TPtriggers of the component HTTP POST Request Handler. The manipulation leads to stack-based buffer overflow. The attack…
more
may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-8184 is a critical stack-based buffer overflow vulnerability (classified under CWE-119, CWE-121, and CWE-787) affecting D-Link DIR-513 routers running firmware versions up to 1.10. The flaw resides in the formSetWanL2TPcallback function within the /goform/formSetWanL2TPtriggers file, part of the HTTP POST Request Handler component. Published on 2025-07-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low complexity and privileges required.
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability by sending a specially crafted HTTP POST request to trigger the buffer overflow. Successful exploitation could result in high-impact outcomes, including arbitrary code execution, data compromise, system disruption, or full control over the affected device, as the overflow occurs on the stack.
VulDB advisories (ctiid.317597, id.317597, submit.622222) document the issue, confirming remote exploitability and public disclosure of a proof-of-concept via a GitHub repository detailing the formSetWanPPTP.md exploit path. The D-Link DIR-513 is end-of-life and no longer supported by the manufacturer, leaving no official patches or mitigations available; practitioners should isolate or retire affected devices.
The exploit has been publicly disclosed and may be actively used, underscoring risks for legacy deployments in environments retaining these unsupported routers.
Details
- CWE(s)