CVE-2025-15194

CriticalPublic PoC

Published: 29 December 2025

Published

29 December 2025

Modified

13 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It…

is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported system components like the end-of-life D-Link DIR-600 router, which lacks patches for this unremediable buffer overflow vulnerability.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and remediation of known flaws such as CVE-2025-15194, mandating isolation or replacement of unpatchable EOL devices.

SC-7 Boundary Protection good match

preventdetect

Monitors and controls network communications at boundaries to block remote exploitation of the unauthenticated HTTP Cookie manipulation vulnerability on internet-facing routers.

Security SummaryAI

CVE-2025-15194 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) affecting D-Link DIR-600 routers up to firmware version 2.15WWb02. The flaw resides in an unknown functionality of the hedwig.cgi file within the HTTP Header Handler component, triggered by manipulation of the Cookie argument.

The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Attackers can send crafted HTTP requests to overflow the stack, potentially achieving arbitrary code execution and full compromise of the device, including high impacts on confidentiality, integrity, and availability.

Affected products are no longer supported by the maintainer, with no patches available. Advisories highlight a publicly disclosed exploit, including proof-of-concept code, urging isolation or replacement of exposed devices. Key references include GitHub repositories detailing the vulnerability and POC, as well as VulDB entries (ctiid.338581, id.338581).

The public availability of the exploit elevates risks for internet-facing DIR-600 routers, particularly in environments with legacy hardware.

Details

CWE(s): CWE-119 CWE-121

Affected Products

dlink

dir-600 firmware

2.15ww

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in HTTP CGI endpoint (hedwig.cgi) on internet-facing router enables unauthenticated remote code execution via crafted network requests, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338581
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338581
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.724404
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com