Cyber Resilience

CVE-2025-8949

HighPublic PoC

Published: 14 August 2025

Published
14 August 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0225 84.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8949 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-825 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

A stack-based buffer overflow vulnerability exists in the D-Link DIR-825 firmware version 2.10 within the get_ping_app_stat function of ping_response.cgi in the httpd component. The flaw is triggered by unsanitized input to the ping_ipaddr argument and is tracked under CWE-119 and CWE-121. The affected device is an end-of-life model no longer supported by the vendor.

An authenticated remote attacker can supply a crafted ping_ipaddr value over the network to overflow the stack buffer, leading to arbitrary code execution with high impact on confidentiality, integrity, and availability. Public exploit code has already been released, although the CVSS vector requires high privileges and the current EPSS score remains low at 0.0225 with no upward movement since disclosure.

Vendor references confirm the product is unsupported, implying no official patches will be issued; users are therefore advised to retire the device or apply network-level controls to restrict access to the management interface.

EU & UK References

Vulnerability details

A vulnerability was identified in D-Link DIR-825 2.10. Affected by this vulnerability is the function get_ping_app_stat of the file ping_response.cgi of the component httpd. The manipulation of the argument ping_ipaddr leads to stack-based buffer overflow. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack buffer overflow in router web CGI (ping_response.cgi) directly enables remote code execution against a public-facing network device application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7206Same product: Dlink Dir-825
CVE-2025-10034Same product: Dlink Dir-825
CVE-2025-10666Same product: Dlink Dir-825
CVE-2025-7909Same vendor: Dlink
CVE-2026-7851Same vendor: Dlink
CVE-2025-7762Same vendor: Dlink
CVE-2025-15194Same vendor: Dlink
CVE-2025-13191Same vendor: Dlink
CVE-2026-2856Same vendor: Dlink
CVE-2026-4529Same vendor: Dlink

Affected Assets

dlink
dir-825 firmware
2.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of the ping_ipaddr argument before it reaches get_ping_app_stat, blocking the stack overflow at its source.

prevent

Applies memory-protection mechanisms that can detect or block stack-based overflows in the httpd process before code execution occurs.

prevent

Mandates replacement or additional mitigations for the explicitly unsupported DIR-825 firmware that receives no patches for this flaw.

References