CVE-2025-70233
Stack Buffer Overflow in D-Link DIR-513 via curTime Parameter
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70233 is a stack buffer overflow vulnerability found in the D-Link DIR-513 router, specifically in firmware version v1.10. The vulnerability exists in the component handling the endpoint goform/formSetEnableWizard and is triggered via the "curTime" parameter.'}, {'type': 'paragraph', 'content': 'The overflow occurs because the input data passed to the curTime parameter is improperly handled, eventually reaching a vulnerable call to sprintf, which leads to a stack buffer overflow.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending an excessively long string in the curTime parameter through an HTTP POST request to the /goform/formSetEnableWizard endpoint.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability could potentially allow an attacker to execute arbitrary code on the affected device or cause a denial of service (DoS).'}, {'type': 'paragraph', 'content': "Exploitation could lead to unauthorized control over the router, disruption of network services, or compromise of the device's integrity."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the /goform/formSetEnableWizard endpoint on the D-Link DIR-513 router, specifically looking for unusually long or malformed values in the "curTime" parameter.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture network traffic and filter for POST requests targeting /goform/formSetEnableWizard, then inspect the "curTime" parameter for suspiciously long strings that could trigger the buffer overflow.'}, {'type': 'paragraph', 'content': 'Example command using tcpdump to capture relevant traffic:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /goform/formSetEnableWizard'"}, {'type': 'paragraph', 'content': 'Alternatively, using curl or similar tools to test the endpoint with a crafted payload can help verify if the device is vulnerable.'}, {'type': 'list_item', 'content': "curl -X POST http://<router-ip>/goform/formSetEnableWizard -d 'curTime=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint by limiting network access to trusted users only, such as through firewall rules or network segmentation.'}, {'type': 'paragraph', 'content': 'Disabling remote management features on the D-Link DIR-513 router, if enabled, can reduce exposure to this vulnerability.'}, {'type': 'paragraph', 'content': 'If available, updating the router firmware to a version that addresses this vulnerability is the most effective mitigation.'}, {'type': 'paragraph', 'content': 'In absence of a firmware update, monitoring and blocking suspicious HTTP POST requests to /goform/formSetEnableWizard with abnormal "curTime" parameter lengths can help prevent exploitation.'}] [1]