Impact
A buffer overflow exists in the AddPortMapping function of miniupnpd’s upnpsoap.c. When an attacker sends a specially crafted NewPortMappingDescription argument, the vulnerable buffer overflows. The CVE entry does not explicitly describe the post‑overflow state, but a buffer overflow like this could potentially allow arbitrary code execution, which is inferred from the nature of the flaw. The issue is scoped to local‑network reachability and is listed under CWE‑119 and CWE‑120. The potential compromise would affect confidentiality, integrity, and availability, but this outcome is not directly stated in the official description.
Affected Systems
D‑Link DIR‑825 routers running firmware versions up to 3.00b32, which are no longer supported. No other vendors or products are reported to be affected.
Risk and Exploitability
The CVSS score of 8.6 classifies this vulnerability as high severity. EPSS is 1%, indicating a low frequency of observed exploitation, but public exploits have been released and could be leveraged in environments where an attacker can reach the device over the local network. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, yet the combination of a high severity score and local network reachability makes it a significant risk for unattended or exposed devices.
OpenCVE Enrichment