CVE-2025-13306 - Vulnerability Details

A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
D-link	Dir-822 Dir-825 Dwr-920 Dwr-921
Dlink	Dir-822k Dir-822k Firmware Dir-825m Dir-825m Firmware Dwr-m920 Dwr-m920 Firmware Dwr-m921 Dwr-m921 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dwr-m920_firmware:1.1.5:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dlink:dir-822k_firmware:tk_1.00_20250513164613:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:dlink:dir-825m_firmware:1.1.12:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-825m:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/LX-LX88/cve/issues/15
https://vuldb.com/?ctiid.332646
https://vuldb.com/?id.332646
https://vuldb.com/?submit.691813
https://vuldb.com/?submit.693805
https://vuldb.com/?submit.693807
https://vuldb.com/?submit.695426
https://www.dlink.com/

History

Thu, 08 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-822k Dlink dir-822k Firmware Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware
Weaknesses		CWE-78
CPEs		cpe:2.3:h:dlink:dir-822k:-:::::::* cpe:2.3:h:dlink:dir-825m:-:::::::* cpe:2.3:h:dlink:dwr-m920:b2:::::::* cpe:2.3:h:dlink:dwr-m921:-:::::::* cpe:2.3:o:dlink:dir-822k_firmware:tk_1.00_20250513164613:::::::* cpe:2.3:o:dlink:dir-825m_firmware:1.1.12:::::::* cpe:2.3:o:dlink:dwr-m920_firmware:1.1.5:::::::* cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:::::::*
Vendors & Products		Dlink Dlink dir-822k Dlink dir-822k Firmware Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware

Tue, 18 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921
Vendors & Products		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921

Mon, 17 Nov 2025 23:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title		D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/LX-LX88/cve/issues/15 https://vuldb.com/?ctiid.332646 https://vuldb.com/?id.332646 https://vuldb.com/?submit.691813 https://vuldb.com/?submit.693805 https://vuldb.com/?submit.693807 https://vuldb.com/?submit.695426 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-11-17T23:32:06.249Z

Updated: 2025-11-18T16:36:07.550Z

Reserved: 2025-11-17T14:22:32.469Z

Link: CVE-2025-13306

Vulnrichment

Updated: 2025-11-18T14:25:28.522Z

NVD

Status : Analyzed

Published: 2025-11-18T00:15:48.380

Modified: 2026-01-08T17:12:48.220

Link: CVE-2025-13306

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object