LiveActive security incident?Get immediate response
CVE Record

CVE-2018-25125: Netis DL4322D RTK 2.1.1 FTP Service DoS

Netis ADSL Router DL4322D firmware RTK 2.1.1 contains a buffer overflow vulnerability in the embedded FTP service that allows an authenticated remote user to trigger a denial of service. After logging in to the FTP service, sending an FTP command such as ABOR with an excessively long argument causes the service, and in practice the router, to crash or become unresponsive, resulting in a loss of availability for the device and connected users.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A flaw in Netis DL4322D ADSL routers lets a logged-in user crash the device by sending a malformed FTP command. The router becomes unresponsive, knocking everyone connected through it offline until it is rebooted. The impact is loss of internet availability rather than data theft, but for a small office relying on this router it is a meaningful disruption.

Executive priority

Treat as a moderate-priority operational risk rather than a data-breach event. Prioritize remediation only where DL4322D routers are still deployed in business-critical paths; for most organizations this is a housekeeping and refresh item rather than an emergency, but unsupported consumer-grade routers should be retired on a planned cycle.

Technical view

CVE-2018-25125 is a CWE-120 buffer overflow in the embedded FTP service of Netis DL4322D firmware RTK 2.1.1. An authenticated remote attacker who reaches the FTP service can send an FTP command (for example ABOR) with an overlong argument, overflowing a fixed-size buffer and crashing the FTP daemon and the router itself. CVSS 4.0 base score is 8.7 (AV:N/AC:L/PR:N/VA:H), reflecting network-reachable, low-complexity impact limited to availability.

Likely exposure

Exposure is limited to organizations or households running the Netis DL4322D ADSL router with the FTP service enabled and reachable by an attacker who has, or can obtain, valid FTP credentials. Routers with FTP exposed to the internet or to untrusted internal networks face the highest risk; devices with FTP disabled or restricted to trusted LAN users have minimal exposure.

Exploitation context

A public proof-of-concept exists on Exploit-DB (entry 45424) and a third-party advisory is published by VulnCheck. CISA has not added this CVE to the Known Exploited Vulnerabilities catalog, and the cited sources do not document active in-the-wild exploitation. Exploitation requires prior authentication to the FTP service, which raises the bar but does not eliminate risk where default or weak credentials are in use.

Researcher notes

CWE-120 buffer overflow in the FTP command parser, triggered post-authentication by oversized arguments to commands such as ABOR. CVSS 4.0 vector reports VA:H with no confidentiality or integrity impact, consistent with a denial-of-service outcome rather than code execution in the cited sources. Affected versions are listed only as "0" in the CVE record, so confirm against the actual RTK 2.1.1 firmware string. No vendor patch is named in the bundle; the Netis product page and the archived advisory should be rechecked for newer firmware.

Mitigation direction

  • Disable the embedded FTP service on the DL4322D if it is not actively required.
  • Block inbound FTP (TCP/21) from the internet and untrusted networks at the perimeter.
  • Change any default or weak FTP credentials and restrict accounts to the minimum needed.
  • Check Netis support channels for updated firmware or vendor guidance on this device.
  • Plan replacement of end-of-life Netis DL4322D units with a currently supported router.
  • Segment the router from sensitive internal systems so an outage does not cascade.

Validation and detection

  • Identify any Netis DL4322D devices in inventory and confirm firmware version RTK 2.1.1.
  • Verify whether the FTP service is enabled and which interfaces it listens on.
  • From an authorized test host, scan for TCP/21 reachability across WAN and LAN interfaces.
  • Review FTP account list for default, shared, or weak credentials.
  • Check router and FTP logs for repeated authentication attempts or unexplained reboots.
  • Confirm with Netis support whether a fixed firmware build is available for this model.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-120: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-25125 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2018-25125Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Netis Systems Co., Ltd.DL4322D0unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-120 · source CWE mapping

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.