CVE-2025-6367 in DIR-619Linfo

Summary

by MITRE • 06/20/2025

A vulnerability was found in D-Link DIR-619L 2.06B01. It has been declared as critical. This vulnerability affects unknown code of the file /goform/formSetDomainFilter. The manipulation of the argument curTime/sched_name_%d/url_%d leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability identified as CVE-2025-6367 represents a critical stack-based buffer overflow flaw within the D-Link DIR-619L router firmware version 2.06B01. This issue resides in the /goform/formSetDomainFilter file which handles domain filtering functionality for the device's web interface. The vulnerability stems from improper input validation when processing parameters including curTime sched_name_%d and url_%d arguments, creating an exploitable condition that allows attackers to manipulate memory layout through crafted input sequences. The flaw specifically affects the router's web-based management interface, making it accessible to remote attackers without requiring physical access or authentication credentials.

The technical exploitation of this vulnerability occurs through manipulation of the targeted parameters within the formSetDomainFilter endpoint, where insufficient bounds checking allows attackers to overflow the stack buffer and potentially overwrite adjacent memory locations including return addresses and control data. This type of vulnerability falls under CWE-121 Stack-based Buffer Overflow, which is classified as a high-severity issue in the Common Weakness Enumeration catalog. The attack vector is remote and network-based, meaning an attacker can leverage this vulnerability from outside the local network perimeter, making it particularly dangerous for devices connected to the internet. The fact that the exploit has been publicly disclosed increases the risk profile significantly, as it eliminates the element of surprise that typically protects against zero-day attacks.

The operational impact of this vulnerability extends beyond simple remote code execution capabilities, potentially allowing attackers to gain full administrative control over the affected router. This compromise enables malicious actors to modify network configurations, redirect traffic through malicious proxies, implement man-in-the-middle attacks, or establish persistent backdoors within the network infrastructure. The affected device, being a consumer-grade router, typically operates in unsecured environments where network monitoring is minimal, making such compromises particularly stealthy and dangerous for end users. Organizations that continue to operate unsupported firmware versions face heightened risk as these devices become increasingly attractive targets for cybercriminals seeking to establish persistent network footholds.

Given that D-Link has discontinued support for this device model, the primary mitigation strategy involves immediate replacement or decommissioning of affected units from network environments. Network administrators should implement strict firewall rules to block access to the affected web interface ports and consider network segmentation to limit potential lateral movement if compromise occurs. The vulnerability's classification as critical and its public disclosure status necessitates immediate action, as the window for exploitation is likely already open. Additionally, organizations should conduct comprehensive network scans to identify all instances of this device model and ensure proper network hygiene practices are maintained. The ATT&CK framework categorizes this vulnerability under T1071.004 Application Layer Protocol: DNS and T1059.001 Command and Scripting Interpreter: PowerShell, highlighting the potential for attackers to leverage this compromise for further network infiltration activities. Organizations should also consider implementing intrusion detection systems to monitor for exploitation attempts targeting this specific vulnerability pattern.

Responsible

VulDB

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00820

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!