CVE-2025-15190

HighPublic PoC

Published: 29 December 2025

Published

29 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit…

has been released to the public and may be exploited.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents the stack-based buffer overflow by validating the ip6addr argument in the formFilter function to ensure it conforms to expected IPv6 format and length bounds.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and non-executable stacks to block exploitation of the buffer overflow even if invalid input reaches the vulnerable function.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and patching of the known firmware flaw in D-Link DWR-M920 up to version 1.1.50 to eliminate the vulnerability.

Security SummaryAI

CVE-2025-15190 is a stack-based buffer overflow vulnerability affecting D-Link DWR-M920 router firmware versions up to 1.1.50. The flaw resides in the function sub_42261C within the file /boafrm/formFilter, where manipulation of the ip6addr argument triggers the overflow. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity and low privileges required, without user interaction. An attacker with low privileges can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution via the buffer overflow.

References point to GitHub repositories under panda666-888/vuls detailing the D-Link DWR-M920 formFilter vulnerability, including a proof-of-concept exploit. VulDB entries (ctiid.338575, id.338575, submit.723553) document the issue, but no vendor advisories or specific patches are mentioned.

The exploit has been publicly released, enabling potential immediate exploitation in the wild. The vulnerability was published on 2025-12-29.

Details

CWE(s): CWE-119 CWE-121

Affected Products

dlink

dwr-m920 firmware

≤ 1.1.50

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the web management interface (/boafrm/formFilter) of D-Link DWR-M920 router allows remote exploitation of a public-facing application for initial access.

References

https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338575
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338575
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.723553
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com