CVE-2025-70223 in DIR-513info

Summary

by MITRE • 03/04/2026

Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formAdvNetwork.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/05/2026

The CVE-2025-70223 vulnerability represents a critical stack buffer overflow flaw discovered in D-Link DIR-513 router firmware version 1.10. This vulnerability resides within the web interface handling mechanism for network configuration parameters, specifically targeting the curTime parameter in the goform/formAdvNetwork endpoint. The affected device operates with a web server that processes user input through HTTP POST requests, making it susceptible to malicious input manipulation that can lead to arbitrary code execution. The vulnerability stems from inadequate input validation and bounds checking within the firmware's web application layer, where user-supplied time parameters are directly copied to a fixed-size stack buffer without proper sanitization. This flaw aligns with CWE-121 Stack-based Buffer Overflow, a fundamental vulnerability category that has been consistently exploited in embedded systems and network devices. The attack surface is particularly concerning as it involves the router's administrative interface, which typically requires elevated privileges and can be accessed by authenticated users with appropriate credentials.

The technical exploitation of this vulnerability occurs when an attacker sends a specially crafted HTTP POST request containing an excessively long curTime parameter value to the vulnerable endpoint. The firmware's processing code fails to validate the length of the incoming parameter against the allocated stack buffer size, resulting in a buffer overflow condition. When the buffer overflow occurs, it overwrites adjacent stack memory locations including return addresses and function pointers, potentially allowing an attacker to redirect program execution flow. The attack vector is particularly dangerous because it can be executed remotely without requiring physical access to the device, and the vulnerability affects the router's web administration interface which is commonly exposed to external networks. The exploitation process follows standard buffer overflow techniques described in the ATT&CK framework under T1210 Exploitation of Remote Services, where attackers leverage web application vulnerabilities to gain unauthorized access to network infrastructure.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with a potential foothold for broader network infiltration. Once successfully exploited, the attacker could gain full administrative control over the router, enabling them to modify network configurations, redirect traffic, establish persistent backdoors, or use the device as a launch point for attacks against other network segments. The vulnerability affects the entire D-Link DIR-513 product line running firmware version 1.10, which represents a significant number of devices deployed in residential and small office environments where network security is often inadequate. The attack could result in man-in-the-middle scenarios, DNS poisoning, or complete network compromise, especially when the router serves as a gateway for multiple devices. The vulnerability is particularly concerning in environments where the router's administrative interface is accessible from the internet, as it provides an easily exploitable entry point for automated scanning and exploitation campaigns targeting known embedded device vulnerabilities.

Mitigation strategies for CVE-2025-70223 should prioritize immediate firmware updates from D-Link, as the vendor has likely released patches addressing this specific vulnerability. Organizations should implement network segmentation to isolate critical infrastructure from potentially compromised devices, while also monitoring for unusual network traffic patterns that might indicate exploitation attempts. Network administrators should disable remote administration access to affected devices when possible, and implement strict access controls for the router's web interface, including strong authentication mechanisms and regular credential rotation. Security monitoring should include detection of malformed HTTP requests targeting the vulnerable endpoint, with intrusion detection systems configured to flag suspicious parameter lengths. Additionally, network defenders should consider implementing web application firewalls to filter malicious input before it reaches the vulnerable application layer. The vulnerability underscores the importance of regular firmware updates and vulnerability assessments for network infrastructure devices, particularly those with exposed web interfaces. Organizations should also consider conducting penetration testing to identify similar vulnerabilities in other network equipment and establish robust patch management procedures to address future vulnerabilities in embedded systems.

Responsible

MITRE

Reservation

01/09/2026

Disclosure

03/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00513

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!