Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13547

CVE-2025-13547: D-Link DIR-822K Firmware RCE Vulnerability

CVE-2025-13547 is a remote code execution vulnerability in D-Link DIR-822K firmware caused by memory corruption in the formDdns file. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-13547 Overview

CVE-2025-13547 is a memory corruption vulnerability affecting D-Link DIR-822K and DWR-M920 routers. The flaw resides in the /boafrm/formDdns endpoint of the web management interface. Attackers can manipulate the submit-url argument to trigger memory corruption [CWE-119]. The issue affects DIR-822K firmware version 1.00_20250513164613 and DWR-M920 firmware version 1.1.50. The vulnerability is exploitable remotely over the network and requires low-privilege authentication. A public exploit has been disclosed, increasing the risk of opportunistic abuse against exposed devices.

Critical Impact

Authenticated remote attackers can corrupt router memory through the formDdns handler, potentially leading to denial of service or arbitrary code execution on affected D-Link devices.

Affected Products

  • D-Link DIR-822K with firmware 1.00_20250513164613
  • D-Link DWR-M920 (revision B2) with firmware 1.1.50
  • D-Link DIR-822K and DWR-M920 firmware images containing the vulnerable /boafrm/formDdns handler

Discovery Timeline

  • 2025-11-23 - CVE-2025-13547 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-13547

Vulnerability Analysis

The vulnerability exists in the boa web server component that handles the /boafrm/formDdns URL on affected D-Link routers. The handler processes the submit-url HTTP parameter without enforcing proper bounds on the supplied data. Sending a crafted request causes memory corruption within the device's web management process. The flaw is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer. Successful exploitation can compromise the confidentiality, integrity, and availability of the router. Public proof-of-concept material has been referenced in GitHub CVE Issue #30 and GitHub CVE Issue #42.

Root Cause

The root cause is missing or insufficient input validation on the submit-url parameter inside the formDdns form handler. The handler copies attacker-controlled input into a fixed-size memory region without verifying length, allowing adjacent memory to be overwritten. This class of flaw is common in lightweight embedded HTTP servers such as boa used in consumer-grade networking gear.

Attack Vector

An attacker with low-privilege credentials sends an HTTP POST request to /boafrm/formDdns containing an oversized or malformed submit-url value. The request triggers memory corruption in the running web server process. Where management interfaces are exposed to the internet or untrusted LAN segments, the attack can be launched remotely.

No verified exploit code is reproduced here. Refer to VulDB #333314 for additional technical detail on the disclosed proof of concept.

Detection Methods for CVE-2025-13547

Indicators of Compromise

  • HTTP POST requests to the /boafrm/formDdns URI containing unusually long or non-URL submit-url parameter values
  • Unexpected reboots, watchdog resets, or crashes of the router web management daemon (boa)
  • Authenticated administrative sessions originating from unfamiliar IP addresses immediately preceding device instability

Detection Strategies

  • Inspect router and upstream firewall logs for repeated requests to formDdns from a single source, especially with abnormal payload sizes
  • Deploy network intrusion detection signatures that flag POST requests to /boafrm/formDdns exceeding expected submit-url length
  • Correlate device availability monitoring with web request telemetry to identify exploitation attempts that crash the management interface

Monitoring Recommendations

  • Forward router syslog and HTTP access logs to a centralized SIEM for retention and correlation
  • Alert on any external sources reaching the device management interface, which should not be internet-exposed
  • Track firmware versions across the D-Link fleet to identify unpatched DIR-822K and DWR-M920 units

How to Mitigate CVE-2025-13547

Immediate Actions Required

  • Restrict access to the router web management interface to trusted management VLANs only
  • Disable remote/WAN-side administration on all DIR-822K and DWR-M920 devices
  • Rotate administrative credentials, since exploitation requires low-privilege authenticated access
  • Monitor D-Link Security Information for an official firmware update addressing CVE-2025-13547

Patch Information

At the time of NVD publication, no vendor advisory or fixed firmware build had been linked to this CVE. Administrators should consult the D-Link Security Information portal and the VulDB #333314 entry for updates on patch availability for DIR-822K firmware 1.00_20250513164613 and DWR-M920 firmware 1.1.50.

Workarounds

  • Block external access to /boafrm/formDdns using an upstream firewall or reverse proxy access control list
  • Disable the Dynamic DNS feature in the router configuration if it is not required
  • Place affected devices behind a network segmentation boundary that prevents untrusted hosts from reaching the management plane
  • Replace end-of-support D-Link models with currently supported hardware where a vendor patch is not forthcoming
bash
# Example upstream ACL to restrict access to the router management interface
# Replace 192.0.2.0/24 with your trusted management subnet and 198.51.100.10 with the router IP
iptables -A FORWARD -s 192.0.2.0/24 -d 198.51.100.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 198.51.100.10 -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.