CVE-2025-13306

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions D-Link DWR-M920 version 1.1.5 D-Link DWR-M921 version 1.1.5 D-Link DIR-822K version 1.1.5 D-Link DIR-825M version 1.1.5

Description A security issue exists in D-Link devices that allows for command injection. The system function within the /boafrm/formDebugDiagnosticRun file is affected. Manipulation of the host argument can lead to unauthorized command execution. The exploit for this issue has been publicly disclosed.

Recommendations Update D-Link DWR-M920 to a newer version. Update D-Link DWR-M921 to a newer version. Update D-Link DIR-822K to a newer version. Update D-Link DIR-825M to a newer version.

Exploit

Fix

Special Elements Injection

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-78CWE-77

Related Identifiers

BDU:2025-14543

CVE-2025-13306

Affected Products

Dir-822

Dir-825

Dwr-M920

Dwr-M921

CVE-2025-13306

Weakness Enumeration

Related Identifiers

Affected Products

References · 18