CVE-2025-13191

HighPublic PoC

Published: 15 November 2025

Published

15 November 2025

Modified

19 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta. This issue affects the function soapcgi_main of the file /soap.cgi. This manipulation causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may…

be utilized. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits use of end-of-support components like the D-Link DIR-816L, directly eliminating exposure to this unpatchable stack buffer overflow vulnerability.

SI-2 Flaw Remediation good match

prevent

Requires identification, prioritization, and remediation of flaws like CVE-2025-13191, mandating replacement or isolation for unsupported systems lacking patches.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries and non-executable stacks that directly prevent exploitation of stack-based buffer overflows in soapcgi_main.

Security SummaryAI

CVE-2025-13191 is a stack-based buffer overflow vulnerability affecting the soapcgi_main function in the /soap.cgi file of the D-Link DIR-816L router running firmware version 2_06_b09_beta. This issue, linked to CWE-119 and CWE-121, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and impacts only products that are no longer supported by the maintainer.

The vulnerability enables remote exploitation by an attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution via the disclosed stack overflow.

Advisories from VulDB indicate no official patches are available due to end-of-support status for the affected D-Link DIR-816L devices. Mitigation recommendations focus on network isolation, replacement with supported hardware, or disabling the vulnerable soap.cgi endpoint if feasible. A proof-of-concept exploit is publicly available in a GitHub-hosted PDF document.

The exploit has been publicly disclosed and may be utilized, increasing risk for exposed, unpatched DIR-816L routers in active networks.

Details

CWE(s): CWE-119 CWE-121

Affected Products

dlink

dir-816l firmware

2.06.b09

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the public-facing /soap.cgi endpoint on the D-Link DIR-816L router enables remote code execution via exploitation of a public-facing application.

References

https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(soap.cgi).pdf
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.332480
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.332480
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.685543
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com