CVE-2025-9938
Published: 04 September 2025
Summary
CVE-2025-9938 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Di-8400 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of the ID argument in /yyxz.asp to directly prevent the stack-based buffer overflow triggered by improper input manipulation.
Implements memory safeguards like stack canaries and ASLR to protect against exploitation of the stack-based buffer overflow vulnerability.
Requires timely identification, reporting, and patching of the specific buffer overflow flaw in D-Link DI-8400 firmware version 16.07.26A1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web application (/yyxz.asp) on D-Link DI-8400 enables remote code execution, directly facilitating exploitation of public-facing applications.
NVD Description
A weakness has been identified in D-Link DI-8400 16.07.26A1. The affected element is the function yyxz_dlink_asp of the file /yyxz.asp. This manipulation of the argument ID causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit…
more
has been made available to the public and could be exploited.
Deeper analysisAI
CVE-2025-9938 is a stack-based buffer overflow vulnerability affecting the D-Link DI-8400 router running firmware version 16.07.26A1. The issue resides in the yyxz_dlink_asp function within the /yyxz.asp file, where manipulation of the ID argument triggers the overflow. This flaw, associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring network access and low complexity with no user interaction needed. Successful exploitation allows high-impact consequences, including unauthorized disclosure of confidential information, modification of data or system integrity, and denial of service through availability disruption, potentially leading to remote code execution on the affected device.
Advisories and references, including entries on VulDB (ctiid.322340, id.322340, submit.643446), highlight the issue but do not specify patches or vendor mitigations in the available details. Proof-of-concept exploits are publicly available on GitHub repositories targeting the /yyxz.asp endpoint, increasing the risk of widespread exploitation.
Notable context includes the public availability of exploits, published on 2025-09-04, which elevates the urgency for affected users to monitor and isolate vulnerable devices pending further vendor guidance.
Details
- CWE(s)