CVE-2025-8949
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-825_firmware | 2.10 |
| dlink | dir-825 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in the D-Link DIR-825 router firmware version 2.10, specifically in the get_ping_app_stat function of the ping_response.cgi component within the httpd service. It occurs when an attacker sends a specially crafted POST request with an overly long ping_ipaddr parameter. The input is copied unsafely into a fixed-size stack buffer using strcpy without proper length validation, causing the buffer to overflow. This overflow can corrupt the stack and lead to a crash of the httpd service or potentially other impacts. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a denial of service (DoS) condition by crashing the router's httpd service remotely. Because it is a stack-based buffer overflow, it may also potentially allow attackers to compromise the confidentiality, integrity, and availability of the device. However, exploitation requires an authenticated attacker with elevated privileges. The affected devices are no longer supported, and no mitigations are published, so replacement is recommended. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /ping_response.cgi endpoint containing an unusually long or malformed ping_ipaddr parameter. A practical detection method is to capture HTTP traffic and filter for POST requests to /ping_response.cgi with oversized ping_ipaddr values. For example, using tcpdump or tshark to capture traffic and grep or Wireshark to analyze POST data. A sample command to capture such traffic might be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'ping_ipaddr'. Additionally, checking for crashes or restarts of the httpd service on the D-Link DIR-825 device may indicate exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected D-Link DIR-825 device with a supported alternative, as the product is no longer maintained and no official patches are available. Additionally, restrict access to the router's web interface to trusted networks only, implement network-level filtering to block malicious POST requests targeting /ping_response.cgi, and monitor for exploitation attempts. Applying strict input validation or filtering on the device is recommended but may not be feasible without vendor support. Ultimately, device replacement is the most effective mitigation. [1, 2]