Cyber Resilience

CVE-2025-9938

HighPublic PoC

Published: 04 September 2025

Published
04 September 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 62.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9938 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Di-8400 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-9938 is a stack-based buffer overflow vulnerability affecting the D-Link DI-8400 router running firmware version 16.07.26A1. The issue resides in the yyxz_dlink_asp function within the /yyxz.asp file, where manipulation of the ID argument triggers the overflow. This flaw, associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring network access and low complexity with no user interaction needed. Successful exploitation allows high-impact consequences, including unauthorized disclosure of confidential information, modification of data or system integrity, and denial of service through availability disruption, potentially leading to remote code execution on the affected device.

Advisories and references, including entries on VulDB (ctiid.322340, id.322340, submit.643446), highlight the issue but do not specify patches or vendor mitigations in the available details. Proof-of-concept exploits are publicly available on GitHub repositories targeting the /yyxz.asp endpoint, increasing the risk of widespread exploitation.

Notable context includes the public availability of exploits, published on 2025-09-04, which elevates the urgency for affected users to monitor and isolate vulnerable devices pending further vendor guidance.

EU & UK References

Vulnerability details

A weakness has been identified in D-Link DI-8400 16.07.26A1. The affected element is the function yyxz_dlink_asp of the file /yyxz.asp. This manipulation of the argument ID causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit…

more

has been made available to the public and could be exploited.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the public-facing web application (/yyxz.asp) on D-Link DI-8400 enables remote code execution, directly facilitating exploitation of public-facing applications.

CVEs Like This One

CVE-2026-4184Same vendor: Dlink
CVE-2026-4181Same vendor: Dlink
CVE-2026-4183Same vendor: Dlink
CVE-2026-5212Same vendor: Dlink
CVE-2025-10779Same vendor: Dlink
CVE-2025-1876Same vendor: Dlink
CVE-2026-4211Same vendor: Dlink
CVE-2025-8184Same vendor: Dlink
CVE-2026-5213Same vendor: Dlink
CVE-2026-4182Same vendor: Dlink

Affected Assets

dlink
di-8400 firmware
16.07.26a1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of the ID argument in /yyxz.asp to directly prevent the stack-based buffer overflow triggered by improper input manipulation.

prevent

Implements memory safeguards like stack canaries and ASLR to protect against exploitation of the stack-based buffer overflow vulnerability.

prevent

Requires timely identification, reporting, and patching of the specific buffer overflow flaw in D-Link DI-8400 firmware version 16.07.26A1.

References