CVE-2025-2618
Published: 22 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2618 is a critical heap-based buffer overflow vulnerability (CVSS 3.1 score of 9.8) affecting the D-Link DAP-1620 wireless access point running firmware version 1.03. The issue resides in the set_ws_action function within the /dws/api/ path handler component, linked to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-122 (Heap-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). Published on March 22, 2025, this flaw enables remote manipulation without restrictions.
The vulnerability can be exploited remotely by unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) over the network with low complexity and no user interaction required. Successful exploitation grants high-impact confidentiality, integrity, and availability compromises (C:H/I:H/A:H), potentially allowing arbitrary code execution on the device.
Advisories from VulDB indicate that the product is no longer supported by the maintainer, implying no official patches or updates are available. References point to detailed disclosures on VulDB and a public Notion page hosting the exploit, with the D-Link website providing general product information but no specific mitigation guidance.
Notable context includes the public disclosure of a working exploit, increasing the risk for remaining deployments of this end-of-life device.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated heap-based buffer overflow in public-facing web API (/dws/api/set_ws_action) enables exploitation for initial access via public-facing application (T1190) and denial of service through application crash or system exploitation (T1499.004), with potential for RCE.