EUVD-2025-18710
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A vulnerability has been found in D-Link DIR-825 2.03 and classified as critical. This vulnerability affects the function sub_4091AC of the component HTTP POST Request Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Analysis
CVE-2025-6292 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 routers (version 2.03 and potentially others) that allows authenticated attackers to execute arbitrary code remotely via malformed HTTP POST requests to the vulnerable HTTP POST Request Handler function. The vulnerability affects end-of-life products no longer receiving security updates from D-Link, and public exploit code has been disclosed, increasing real-world exploitation risk despite requiring valid credentials.
Technical Context
The vulnerability exists in the HTTP POST Request Handler component (specifically function sub_4091AC) of D-Link DIR-825 firmware, which fails to properly validate input length before copying user-supplied data into a stack-allocated buffer. This is a classic stack-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer). The DIR-825 is a wireless router that processes HTTP POST requests for configuration and management. The vulnerability allows an authenticated user to craft an oversized POST parameter that overwrites the stack, potentially corrupting return addresses and enabling arbitrary code execution in the router's context (typically with root/administrative privileges). The affected function processes HTTP POST data without adequate bounds checking, a common issue in embedded device firmware where memory constraints are tight and input validation is insufficient.
Affected Products
D-Link DIR-825 firmware version 2.03 and potentially earlier/later versions of this end-of-life device. CPE string (likely): cpe:2.3:o:d-link:dir-825_firmware:2.03:*:*:*:*:*:*:*. The DIR-825 is a dual-band wireless AC router marketed primarily for small office/home office (SOHO) use. D-Link ceased support for this model; exact end-of-life date should be verified against D-Link's product lifecycle documentation. No patch is available due to end-of-life status, and D-Link has not issued security advisories for this CVE according to standard channels.
Remediation
**Patch Availability**: None—D-Link no longer supports the DIR-825 product line. **Remediation Steps**: (1) **Immediate**: Replace DIR-825 units with current-generation D-Link routers or alternative vendor solutions receiving active security updates. (2) **Interim Mitigation** (if replacement is delayed): (a) Restrict administrative/HTTP management access to the router via network-based access control lists (ACLs)—limit HTTP/HTTPS management ports (80/443) to trusted internal IPs only, not external/untrusted networks. (b) Disable remote management features if enabled. (c) Change default credentials and implement strong, unique administrative passwords. (d) Isolate the router on a dedicated management VLAN if possible. (e) Monitor router logs for suspicious POST requests (though most DIR-825 units have limited logging). (3) **Long-term**: Decommission the device and migrate to supported products with regular security patching (e.g., current D-Link models, ASUS, Ubiquiti, Cisco, or open-source alternatives like OpenWrt on compatible hardware).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today