Description
A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Published: 2025-11-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dir-822k
Dlink dir-822k Firmware
Dlink dir-825m
Dlink dir-825m Firmware
Dlink dwr-m920
Dlink dwr-m920 Firmware
Dlink dwr-m921
Dlink dwr-m921 Firmware
Weaknesses CWE-78
CPEs cpe:2.3:h:dlink:dir-822k:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-825m:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dwr-m920:b2:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dwr-m921:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-822k_firmware:tk_1.00_20250513164613:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-825m_firmware:1.1.12:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dwr-m920_firmware:1.1.5:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dwr-m921_firmware:1.1.50:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dir-822k
Dlink dir-822k Firmware
Dlink dir-825m
Dlink dir-825m Firmware
Dlink dwr-m920
Dlink dwr-m920 Firmware
Dlink dwr-m921
Dlink dwr-m921 Firmware

Tue, 18 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dir-822
D-link dir-825
D-link dwr-920
D-link dwr-921
Vendors & Products D-link
D-link dir-822
D-link dir-825
D-link dwr-920
D-link dwr-921

Mon, 17 Nov 2025 23:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dir-822 Dir-825 Dwr-920 Dwr-921
Dlink Dir-822k Dir-822k Firmware Dir-825m Dir-825m Firmware Dwr-m920 Dwr-m920 Firmware Dwr-m921 Dwr-m921 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2025-11-18T16:36:07.550Z

Reserved: 2025-11-17T14:22:32.469Z

Link: CVE-2025-13306

cve-icon Vulnrichment

Updated: 2025-11-18T14:25:28.522Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-18T00:15:48.380

Modified: 2026-04-29T01:00:01.613

Link: CVE-2025-13306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-11-18T09:05:49Z

Weaknesses