CVE-2025-13306 - Vulnerability Details

- D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection

Description

A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Published: 2025-11-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DWR-M920

affected

Version	Status	Constraints
`1.1.5`	affected	—

D-Link

DWR-M921

affected

Version	Status	Constraints
`1.1.5`	affected	—

D-Link

DIR-822K

affected

Version	Status	Constraints
`1.1.5`	affected	—

D-Link

DIR-825M

affected

Version	Status	Constraints
`1.1.5`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dwr-m920_firmware:1.1.5:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dlink:dir-822k_firmware:tk_1.00_20250513164613:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:dlink:dir-825m_firmware:1.1.12:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-825m:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dir-822	—	—
D-link	Dir-825	—	—
D-link	Dwr-920	—	—
D-link	Dwr-921	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00076.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/LX-LX88/cve/issues/15
https://vuldb.com/?ctiid.332646
https://vuldb.com/?id.332646
https://vuldb.com/?submit.691813
https://vuldb.com/?submit.693805
https://vuldb.com/?submit.693807
https://vuldb.com/?submit.695426
https://www.dlink.com/

History

Thu, 08 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-822k Dlink dir-822k Firmware Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware
Weaknesses		CWE-78
CPEs		cpe:2.3:h:dlink:dir-822k:-:::::::* cpe:2.3:h:dlink:dir-825m:-:::::::* cpe:2.3:h:dlink:dwr-m920:b2:::::::* cpe:2.3:h:dlink:dwr-m921:-:::::::* cpe:2.3:o:dlink:dir-822k_firmware:tk_1.00_20250513164613:::::::* cpe:2.3:o:dlink:dir-825m_firmware:1.1.12:::::::* cpe:2.3:o:dlink:dwr-m920_firmware:1.1.5:::::::* cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:::::::*
Vendors & Products		Dlink Dlink dir-822k Dlink dir-822k Firmware Dlink dir-825m Dlink dir-825m Firmware Dlink dwr-m920 Dlink dwr-m920 Firmware Dlink dwr-m921 Dlink dwr-m921 Firmware

Tue, 18 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921
Vendors & Products		D-link D-link dir-822 D-link dir-825 D-link dwr-920 D-link dwr-921

Mon, 17 Nov 2025 23:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title		D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/LX-LX88/cve/issues/15 https://vuldb.com/?ctiid.332646 https://vuldb.com/?id.332646 https://vuldb.com/?submit.691813 https://vuldb.com/?submit.693805 https://vuldb.com/?submit.693807 https://vuldb.com/?submit.695426 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dir-822 Dir-825 Dwr-920 Dwr-921

Dlink Dir-822k Dir-822k Firmware Dir-825m Dir-825m Firmware Dwr-m920 Dwr-m920 Firmware Dwr-m921 Dwr-m921 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-11-17T23:32:06.249Z

Updated: 2025-11-18T16:36:07.550Z

Reserved: 2025-11-17T14:22:32.469Z

Link: CVE-2025-13306

Vulnrichment

Updated: 2025-11-18T14:25:28.522Z

NVD

Status : Analyzed

Published: 2025-11-18T00:15:48.380

Modified: 2026-01-08T17:12:48.220

Link: CVE-2025-13306

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-11-18T09:05:49Z

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object