CVE-2025-70221
Stack Buffer Overflow in D-Link DIR-513 Login Causes Crash
Publication date: 2026-03-04
Last updated on: 2026-03-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70221 is a stack buffer overflow vulnerability found in the D-Link DIR-513 router, specifically in firmware version v1.10. The vulnerability exists in the "goform/formLogin" component and is triggered via the "curTime" parameter.'}, {'type': 'paragraph', 'content': 'The issue occurs because the "curTime" parameter is improperly handled using the "sprintf" function, which leads to a stack buffer overflow condition when an excessively long value is provided.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending a specially crafted HTTP POST request with an oversized "curTime" value to the "/goform/formLogin" endpoint, potentially causing the device to execute arbitrary code or crash.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on the affected D-Link DIR-513 router or cause a denial of service by crashing the device.
Successful exploitation could lead to unauthorized control over the router, disruption of network services, or compromise of network security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the "/goform/formLogin" endpoint on D-Link DIR-513 routers running firmware version v1.10. Specifically, look for requests where the "curTime" parameter contains an unusually long or malformed value that could trigger a stack buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for suspicious POST requests targeting the vulnerable endpoint.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include using network packet capture tools like tcpdump or Wireshark with filters for the specific URI and parameter:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/formLogin'"}, {'type': 'list_item', 'content': 'Use a tool like curl or a custom script to send test POST requests with long "curTime" values to verify if the device is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected device's management interface to trusted networks only, such as limiting access via firewall rules or network segmentation."}, {'type': 'paragraph', 'content': "Avoid exposing the router's web management interface to untrusted networks or the internet."}, {'type': 'paragraph', 'content': 'If possible, update the device firmware to a version that addresses this vulnerability. If no patch is available, consider disabling the vulnerable service or replacing the device.'}] [1]