CVE-2026-2925
Published: 22 February 2026
Summary
CVE-2026-2925 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M960 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the manipulated submit-url argument to prevent the stack-based buffer overflow in the Bridge VLAN Configuration Endpoint.
Implements memory protection techniques like stack canaries and ASLR to block arbitrary code execution from the buffer overflow exploit.
Requires identification, reporting, and patching of the specific buffer overflow flaw in the D-Link router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web form endpoint (/boafrm/formBridgeVlan) on network device enables remote authenticated code execution (PR:L to full impact), directly mapping to exploitation of public-facing apps for initial access and software vuln exploitation for privilege escalation.
NVD Description
A vulnerability was detected in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_42B5A0 of the file /boafrm/formBridgeVlan of the component Bridge VLAN Configuration Endpoint. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The…
more
attack can be initiated remotely. The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-2925 is a stack-based buffer overflow vulnerability affecting the D-Link DWR-M960 router on firmware version 1.01.07. The flaw resides in the function sub_42B5A0 within the file /boafrm/formBridgeVlan of the Bridge VLAN Configuration Endpoint. It is triggered by manipulating the submit-url argument, as documented in the CVE description published on 2026-02-22.
The vulnerability enables remote exploitation by attackers with low privileges (PR:L). Per its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it requires network access and minimal authentication but no user interaction, potentially granting high confidentiality, integrity, and availability impacts. Successful exploitation could lead to arbitrary code execution via the buffer overflow (CWE-119, CWE-121). A public exploit is available and may be used.
Advisories and further details are available via references including VulDB entries (ctiid.347272, id.347272, submit.754497), a GitHub issue at LX-66-LX/cve-new/issues/20, and D-Link's website. No specific patch or mitigation guidance is detailed in the core CVE information.
Details
- CWE(s)