CVE-2025-70238
Stack Buffer Overflow in D-Link DIR-513 WAN Wizard Module
Publication date: 2026-03-09
Last updated on: 2026-03-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70238 is a stack buffer overflow vulnerability found in the D-Link DIR-513 router, specifically in firmware version v1.10. It occurs in the component handling the endpoint goform/formSetWAN_Wizard52 and is triggered via the curTime parameter.
The vulnerability arises because the input to the curTime parameter is not properly limited when processed by a sprintf operation, allowing an attacker to send an excessively long string that overwrites the stack.
This improper handling can lead to a buffer overflow, which may be exploited to cause remote code execution or denial of service on the affected device.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to remotely exploit the D-Link DIR-513 router running vulnerable firmware.
Exploitation could lead to remote code execution, meaning an attacker could run arbitrary code on your device, potentially taking control of it.
Alternatively, the attacker could cause a denial of service, making the device unavailable or unstable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /goform/formSetWAN_Wizard52 on D-Link DIR-513 routers running firmware version v1.10.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking for unusually long or malformed values in the curTime parameter, which triggers the stack buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture network traffic and filter for POST requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to monitor traffic to the router.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant HTTP POST requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /goform/formSetWAN_Wizard52'"}, {'type': 'list_item', 'content': 'Alternatively, use curl or similar tools to test the endpoint by sending a crafted POST request with an excessively long curTime parameter to see if the device responds abnormally.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint and avoiding exposure of the D-Link DIR-513 router to untrusted networks.'}, {'type': 'paragraph', 'content': 'Specifically, you should:'}, {'type': 'list_item', 'content': "Limit network access to the router's management interface to trusted IP addresses only."}, {'type': 'list_item', 'content': 'Disable remote management features if enabled.'}, {'type': 'list_item', 'content': 'Monitor and block suspicious HTTP POST requests targeting /goform/formSetWAN_Wizard52 with abnormal curTime parameter lengths.'}, {'type': 'list_item', 'content': 'Check for firmware updates from D-Link that address this vulnerability and apply them as soon as they become available.'}] [1]