CVE-2025-70234
Stack Buffer Overflow in D-Link DIR-513 QoS Parameter
Publication date: 2026-03-03
Last updated on: 2026-03-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70234 is a stack buffer overflow vulnerability found in the D-Link DIR-513 router, specifically in firmware version v1.10. The vulnerability occurs in the component handling the endpoint goform/formSetQoS, where the parameter "curTime" is improperly processed.'}, {'type': 'paragraph', 'content': 'The issue arises because the "curTime" parameter is handled using the sprintf function without proper bounds checking, leading to a stack buffer overflow. An attacker can exploit this by sending a crafted POST request with an excessively long "curTime" value, causing the overflow.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability could potentially allow an attacker to execute arbitrary code on the affected device or cause a denial of service (DoS).'}, {'type': 'paragraph', 'content': 'By exploiting the stack buffer overflow via the "curTime" parameter, an attacker might gain control over the router, disrupt its normal operation, or crash the device, impacting network availability and security.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the endpoint /goform/formSetQoS or /goform/formSetMACFilter on D-Link DIR-513 routers running firmware version v1.10.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves looking for POST requests with an excessively long or malformed "curTime" parameter in the request body, which is indicative of an attempt to exploit the stack buffer overflow.'}, {'type': 'paragraph', 'content': 'A suggested command to detect such attempts using network traffic capture tools like tcpdump or tshark could be:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /goform/formSetMACFilter'"}, {'type': 'paragraph', 'content': 'Alternatively, using tshark to filter HTTP POST requests with the "curTime" parameter:'}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" && http.request.uri contains "/goform/formSetMACFilter" && http.file_data contains "curTime="\''}, {'type': 'paragraph', 'content': 'These commands help identify potentially malicious requests attempting to exploit the vulnerability by sending crafted payloads with large "curTime" values.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected D-Link DIR-513 router's management interface to trusted networks only, such as internal LAN segments."}, {'type': 'paragraph', 'content': 'Additionally, monitoring and blocking suspicious HTTP POST requests to the /goform/formSetQoS and /goform/formSetMACFilter endpoints with unusually large or malformed "curTime" parameters can help prevent exploitation.'}, {'type': 'paragraph', 'content': 'If possible, disabling remote management features or applying any available firmware updates or patches from the vendor should be prioritized to fully remediate the vulnerability.'}] [1]