CVE-2025-15189

HighPublic PoC

Published: 29 December 2025

Published

29 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly…

available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the buffer overflow flaw in sub_464794 by identifying, reporting, and applying firmware patches or updates for D-Link DWR-M920 up to 1.1.50.

SI-10 Information Input Validation good match

prevent

Requires validation of the submit-url argument's length and content in /boafrm/formDefRoute to prevent buffer overflow from malformed remote inputs.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow in sub_464794 is triggered.

Security SummaryAI

CVE-2025-15189 is a buffer overflow vulnerability in D-Link DWR-M920 routers running firmware versions up to 1.1.50. The issue affects the sub_464794 function in the /boafrm/formDefRoute file, where manipulation of the submit-url argument triggers the overflow. Published on 2025-12-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-120.

The vulnerability enables remote exploitation by attackers with low privileges, requiring no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or denial of service on affected devices.

Advisories and references, including GitHub proof-of-concept exploits at https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md and VULDB entries at https://vuldb.com/?ctiid.338574, document the issue but do not specify patches or mitigations. The exploit is publicly available and might be used.

A publicly available exploit underscores the risk of active exploitation against unpatched D-Link DWR-M920 devices.

Details

CWE(s): CWE-119 CWE-120

Affected Products

dlink

dwr-m920 firmware

≤ 1.1.50

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in the web interface (/boafrm/formDefRoute) of the D-Link DWR-M920 router via 'submit-url' parameter enables remote exploitation of a public-facing application.

References

https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338574
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338574
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.723552
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com