Security readout for executives and security teams
Plain-English summary
A flaw in Netis DL4322D ADSL routers lets a logged-in user crash the device by sending a malformed FTP command. The router becomes unresponsive, knocking everyone connected through it offline until it is rebooted. The impact is loss of internet availability rather than data theft, but for a small office relying on this router it is a meaningful disruption.
Executive priority
Treat as a moderate-priority operational risk rather than a data-breach event. Prioritize remediation only where DL4322D routers are still deployed in business-critical paths; for most organizations this is a housekeeping and refresh item rather than an emergency, but unsupported consumer-grade routers should be retired on a planned cycle.
Technical view
CVE-2018-25125 is a CWE-120 buffer overflow in the embedded FTP service of Netis DL4322D firmware RTK 2.1.1. An authenticated remote attacker who reaches the FTP service can send an FTP command (for example ABOR) with an overlong argument, overflowing a fixed-size buffer and crashing the FTP daemon and the router itself. CVSS 4.0 base score is 8.7 (AV:N/AC:L/PR:N/VA:H), reflecting network-reachable, low-complexity impact limited to availability.
Likely exposure
Exposure is limited to organizations or households running the Netis DL4322D ADSL router with the FTP service enabled and reachable by an attacker who has, or can obtain, valid FTP credentials. Routers with FTP exposed to the internet or to untrusted internal networks face the highest risk; devices with FTP disabled or restricted to trusted LAN users have minimal exposure.
Exploitation context
A public proof-of-concept exists on Exploit-DB (entry 45424) and a third-party advisory is published by VulnCheck. CISA has not added this CVE to the Known Exploited Vulnerabilities catalog, and the cited sources do not document active in-the-wild exploitation. Exploitation requires prior authentication to the FTP service, which raises the bar but does not eliminate risk where default or weak credentials are in use.
Researcher notes
CWE-120 buffer overflow in the FTP command parser, triggered post-authentication by oversized arguments to commands such as ABOR. CVSS 4.0 vector reports VA:H with no confidentiality or integrity impact, consistent with a denial-of-service outcome rather than code execution in the cited sources. Affected versions are listed only as "0" in the CVE record, so confirm against the actual RTK 2.1.1 firmware string. No vendor patch is named in the bundle; the Netis product page and the archived advisory should be rechecked for newer firmware.
Mitigation direction
- Disable the embedded FTP service on the DL4322D if it is not actively required.
- Block inbound FTP (TCP/21) from the internet and untrusted networks at the perimeter.
- Change any default or weak FTP credentials and restrict accounts to the minimum needed.
- Check Netis support channels for updated firmware or vendor guidance on this device.
- Plan replacement of end-of-life Netis DL4322D units with a currently supported router.
- Segment the router from sensitive internal systems so an outage does not cascade.
Validation and detection
- Identify any Netis DL4322D devices in inventory and confirm firmware version RTK 2.1.1.
- Verify whether the FTP service is enabled and which interfaces it listens on.
- From an authorized test host, scan for TCP/21 reachability across WAN and LAN interfaces.
- Review FTP account list for default, shared, or weak credentials.
- Check router and FTP logs for repeated authentication attempts or unexplained reboots.
- Confirm with Netis support whether a fixed firmware build is available for this model.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-120: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2018-25125 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.7 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
8.7HighVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.exploit-db.com/exploits/45424CVE reference · exploit
- https://web.archive.org/web/20180731191918/http://www.netis-systems.com/Home/detail/id/74.htmlCVE reference · product
- https://www.netis-systems.com/CVE reference · product
- https://www.vulncheck.com/advisories/netis-dl4322d-ftp-service-dosCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
