CVE-2025-13552: D-Link DIR-822K Buffer Overflow Flaw

CVE-2025-13552 Overview

CVE-2025-13552 is a buffer overflow vulnerability affecting D-Link DIR-822K and DWR-M920 routers. The flaw resides in the /boafrm/formWlEncrypt endpoint within the device web management interface. Attackers manipulate the submit-url argument to trigger a memory corruption condition in an unspecified function. The issue is classified under [CWE-119] for improper restriction of operations within memory buffer bounds. Remote attackers with low privileges can exploit the flaw over the network. Public disclosure of the exploit details has occurred, increasing the risk of opportunistic attacks against exposed devices.

Critical Impact

Authenticated remote attackers can trigger a buffer overflow in the router web interface, potentially leading to arbitrary code execution and full device compromise on affected D-Link DIR-822K and DWR-M920 routers.

Affected Products

• D-Link DIR-822K firmware version 1.00_20250513164613
• D-Link DWR-M920 firmware version 1.1.50
• D-Link DWR-M920 hardware revision B2

Discovery Timeline

• 2025-11-23 - CVE-2025-13552 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-13552

Vulnerability Analysis

The vulnerability exists in the formWlEncrypt handler served by the BOA-derived web server on affected D-Link routers. The handler processes wireless encryption configuration requests submitted through the administrative interface. When the request includes the submit-url parameter, the firmware copies the supplied value into a fixed-size stack or heap buffer without proper bounds checking. An attacker who supplies an oversized value overruns the destination buffer and corrupts adjacent memory. The exploit details are publicly available, and the EPSS score of 0.677% reflects measurable interest in weaponization. The vulnerability requires network reachability to the router management interface and at least low-privilege authentication.

Root Cause

The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119]. The CGI handler trusts the length of the submit-url argument and performs an unbounded copy. D-Link router firmware historically uses unsafe C string functions such as strcpy and sprintf in BOA web handlers, which permit overflow when input length is not validated.

Attack Vector

An authenticated attacker sends a crafted HTTP POST request to /boafrm/formWlEncrypt on the router web interface. The request body contains an oversized submit-url parameter that exceeds the destination buffer size. Successful exploitation corrupts memory and can lead to control of the program counter on architectures without sufficient mitigations. Devices exposing the management interface to untrusted networks face the highest risk. Refer to the GitHub Issue CVE-36 and VulDB #333319 entries for additional technical context.

Detection Methods for CVE-2025-13552

Indicators of Compromise

• HTTP POST requests to /boafrm/formWlEncrypt containing an unusually long submit-url parameter value.
• Unexpected reboots, watchdog resets, or httpd process crashes on D-Link DIR-822K or DWR-M920 devices.
• New or modified administrative accounts, DNS settings, or firewall rules on the affected router following suspicious web requests.

Detection Strategies

• Inspect router and upstream proxy logs for POST requests targeting /boafrm/formWlEncrypt with parameter lengths exceeding typical values.
• Deploy network intrusion detection signatures that flag HTTP requests to the formWlEncrypt endpoint with abnormal submit-url lengths.
• Correlate router crash events with preceding HTTP traffic to identify probable exploitation attempts.

Monitoring Recommendations

• Forward router syslog output to a centralized log platform and alert on httpd segmentation faults or restarts.
• Monitor inbound traffic to router management interfaces and alert on access from unexpected source IP ranges.
• Track configuration drift on affected devices, including DNS, NTP, and credential changes that may indicate post-exploitation activity.

How to Mitigate CVE-2025-13552

Immediate Actions Required

• Restrict access to the router web management interface to trusted internal networks and disable remote WAN-side administration.
• Rotate administrative credentials on all DIR-822K and DWR-M920 devices to limit reuse of low-privilege accounts required for exploitation.
• Inventory affected firmware versions 1.00_20250513164613 and 1.1.50 across the environment and prioritize remediation.

Patch Information

No vendor patch is referenced in the available advisory data at the time of publication. Consult the D-Link Security Information portal for firmware updates addressing CVE-2025-13552 and apply them as soon as they become available.

Workarounds

• Place affected routers behind an upstream firewall and block external access to TCP ports used by the web management interface.
• Disable the web administration interface when not in active use, and require VPN access for management operations.
• Replace end-of-support D-Link DIR-822K and DWR-M920 devices with currently supported hardware where vendor patches are unavailable.

# Example: block external access to router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -i <wan_iface> -j DROP