CVE-2025-13306
Published: 18 November 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2025-13306 is a command injection vulnerability in D-Link routers, specifically the models DWR-M920, DWR-M921, DIR-822K, and DIR-825M running firmware version 1.1.5. The flaw affects the system function in the file /boafrm/formDebugDiagnosticRun, where manipulation of the 'host' argument enables command injection. Published on 2025-11-18, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs 74, 77, and 78.
The vulnerability allows remote exploitation over the network with low complexity and no user interaction required, but attackers need low privileges (PR:L). Successful attacks can result in low-level impacts to confidentiality, integrity, and availability through injected commands.
Advisories and further details are available at https://github.com/LX-LX88/cve/issues/15, https://vuldb.com/?ctiid.332646, https://vuldb.com/?id.332646, https://vuldb.com/?submit.691813, and https://vuldb.com/?submit.693805. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in the router's web diagnostic form directly enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution on the network device CLI (T1059.008).