CVE-2025-13188

CriticalPublic PoC

Published: 14 November 2025

Published

14 November 2025

Modified

20 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit…

is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Directly addresses risks from unsupported system components like the EOL D-Link DIR-816L firmware with no patches available for this buffer overflow vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs such as the Password argument to prevent stack-based buffer overflows in the authentication.cgi function.

SI-16 Memory Protection good match

prevent

Provides memory protections like stack canaries, ASLR, and DEP to mitigate exploitation of stack-based buffer overflows triggered by oversized password inputs.

Security SummaryAI

CVE-2025-13188 is a stack-based buffer overflow vulnerability affecting the authenticationcgi_main function in the /authentication.cgi file of the D-Link DIR-816L router running firmware version 2_06_b09_beta. The flaw is triggered by manipulating the Password argument, enabling improper memory handling that leads to the overflow. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Remote attackers can exploit this vulnerability without authentication or user interaction, given its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation over the network with low complexity allows achievement of high impacts on confidentiality, integrity, and availability, potentially resulting in complete device compromise such as arbitrary code execution.

Advisories note that the vulnerability only affects products no longer supported by the maintainer, with no patches available. Key references include a GitHub PDF detailing the stack overflow in authentication.cgi, VulDB entries (ctiid.332476, id.332476, submit.685538) confirming remote exploitability, and the D-Link website.

The exploit is public and may be used, increasing risk for exposed D-Link DIR-816L devices on firmware 2_06_b09_beta.

Details

CWE(s): CWE-119 CWE-121

Affected Products

dlink

dir-816l firmware

2.06.b09

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the public-facing authentication.cgi web interface of the D-Link DIR-816L router allows remote unauthenticated exploitation for potential remote code execution.

References

https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(authentication.cgi).pdf
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.332476
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.332476
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.685538
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com
https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(authentication.cgi).pdf
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0