CVE-2025-70219
Stack Buffer Overflow in D-Link DIR-513 Device Reboot Function
Publication date: 2026-03-04
Last updated on: 2026-03-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70219 is a stack buffer overflow vulnerability in the D-Link DIR-513 router firmware version 1.10, specifically in the goform/formDeviceReboot component.
The vulnerability occurs because the function handling the formDeviceReboot request does not properly validate the length of the parameter `p_last_url`, which is derived from the user-controlled `next_page` value.
This unchecked parameter is copied using `strcpy`, which can lead to a buffer overflow when an excessively long string is sent.
An attacker can exploit this by sending a crafted HTTP POST request to the `/goform/formDeviceReboot` endpoint with a very long `next_page` parameter, causing memory overwrite.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption through a buffer overflow, which may allow an attacker to execute arbitrary code on the affected device.
Exploitation could result in unauthorized control over the router, potentially causing denial of service or enabling further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP POST requests sent to the endpoint /goform/formDeviceReboot containing an excessively long next_page parameter value.'}, {'type': 'paragraph', 'content': 'A detection method involves capturing network traffic and searching for POST requests with unusually long next_page parameters targeting the vulnerable router.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like curl or wget to simulate the exploit can help verify if the system is vulnerable.'}, {'type': 'list_item', 'content': 'curl -X POST http://<router-ip>/goform/formDeviceReboot -d "act=undo_reboot&next_page=$(python3 -c \'print("1"*1000)\')"'}, {'type': 'list_item', 'content': "tcpdump or Wireshark filters to detect suspicious POST requests: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then search for /goform/formDeviceReboot with long next_page parameters."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include avoiding exposure of the vulnerable D-Link DIR-513 router to untrusted networks and disabling remote management features if enabled.'}, {'type': 'paragraph', 'content': "If possible, restrict access to the router's management interface to trusted IP addresses only."}, {'type': 'paragraph', 'content': 'Monitor for suspicious POST requests to /goform/formDeviceReboot and block or alert on such traffic.'}, {'type': 'paragraph', 'content': 'Contact D-Link for firmware updates or patches addressing this vulnerability and apply them as soon as they become available.'}] [1]