Multiple Critical Vulnerabilities in D-Link Routers Let Attackers Execute Arbitrary Code Remotely
Multiple critical vulnerabilities in D-Link router models could allow remote attackers to execute arbitrary code and gain unauthorized access to the network infrastructure.
Summary
1. Six critical vulnerabilities in D-Link DIR-816 routers allow remote code execution (CVSS 9.8)
2. Buffer overflow and command injection attacks enable complete router takeover via the web interface.
3. No security patches available - all DIR-816 models are End-of-Life with permanent vulnerabilities.The vulnerabilities affect all hardware revisions and firmware versions of the non-US DIR-816 models, which have now reached their End-of-Life (EOL) status.
Buffer Overflow Flaws Enable Remote Code Execution
Four of the six vulnerabilities are classified as critical stack-based buffer overflow attacks with CVSS scores of 9.8, representing the highest severity level.
.png
"Multiple Critical Vulnerabilities in D-Link Routers Let Attackers Execute Arbitrary Code Remotely 2")
These flaws include CVE-2025-5622 affecting the wirelessApcli_5g function in /goform/wirelessApcli_5g, where manipulation of parameters apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g leads to memory corruption.
CVE-2025-5623 and CVE-2025-5624 both target the qosClassifier function in /goform/qosClassifier, exploiting the dip_address and sip_address arguments to trigger stack-based buffer overflows.
A critical vulnerability, CVE-2025-5630, affects the /goform/form2lansetup.cgi file through manipulation of the IP parameter.
These vulnerabilities fall under CWE-121 (Stack-based Buffer Overflow) and CWE-119 (Memory Corruption) categories, enabling attackers to overwrite memory segments and potentially execute malicious code with administrative privileges.
Command Injection Vulnerabilities
Two additional high-severity vulnerabilities involve OS command injection attacks. CVE-2025-5620 targets the setipsec_config function in /goform/setipsec_config, where attackers can manipulate localIP and remoteIP parameters to inject arbitrary system commands.
Similarly, CVE-2025-5621 exploits the same qosClassifier function through dip_address and sip_address parameters.
These command injection flaws, categorized under CWE-78 (OS Command Injection) and CWE-77 (Command Injection), carry CVSS scores of 7.3 and enable attackers to execute unauthorized operating system commands remotely.
| CVEs | Description | CVSS 3.1 Score |
| CVE-2025-5622 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5623 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5624 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5630 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5620 | OS command injection | 7.3 (High) |
| CVE-2025-5621 | OS command injection | 7.3 (High) |
Immediate Retirement Recommended
The vulnerabilities were initially disclosed by security researcher pjqwudi through VULdb Disclosure, highlighting the critical nature of these network infrastructure security flaws.
D-Link has officially designated all DIR-816 models as End-of-Service (EOS), meaning no firmware updates or security patches will be released.
The company strongly recommends immediate retirement of these devices, warning that continued use poses significant security risks to connected networks.
Users are advised to transition to current-generation products with active firmware development, perform comprehensive data backups, and contact D-Link regional offices for replacement recommendations.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
