Skip to content
Threat Feed
critical advisory

D-Link DIR-513 v1.10 Remote Buffer Overflow Vulnerability (CVE-2026-6013)

A remote buffer overflow vulnerability exists in the formSetRoute function of the D-Link DIR-513 v1.10 router's web interface, triggered by manipulating the 'curTime' argument in a POST request, potentially allowing unauthenticated attackers to execute arbitrary code; this vulnerability affects an end-of-life product with a public exploit.

CVE-2026-6013 describes a critical buffer overflow vulnerability in the D-Link DIR-513 router, specifically version 1.10. The vulnerability lies within the formSetRoute function of the /goform/formSetRoute file, which handles POST requests. An attacker can exploit this flaw by manipulating the curTime argument in a crafted POST request, leading to a buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code on the device. Public exploits are reportedly available, increasing the risk of exploitation. However, D-Link has reached end-of-life for the DIR-513 product line, meaning no patch will be released, so any vulnerable device needs to be taken offline.

Attack Chain

  1. The attacker identifies a vulnerable D-Link DIR-513 router (v1.10) accessible over the network.
  2. The attacker crafts a malicious HTTP POST request targeting the /goform/formSetRoute endpoint.
  3. Within the POST request, the attacker includes the curTime argument with a value exceeding the expected buffer size.
  4. The web server on the D-Link DIR-513 receives the malicious POST request.
  5. The formSetRoute function processes the request and attempts to copy the overly long curTime value into a fixed-size buffer without proper bounds checking.
  6. The buffer overflow occurs, overwriting adjacent memory regions.
  7. By carefully crafting the overflowing data, the attacker can overwrite critical data such as return addresses.
  8. When the formSetRoute function returns, it jumps to the attacker-controlled address, leading to arbitrary code execution on the router, achieving full system compromise.

Impact

Successful exploitation of CVE-2026-6013 can lead to arbitrary code execution on the vulnerable D-Link DIR-513 router. This could allow an attacker to gain complete control of the device, potentially enabling them to eavesdrop on network traffic, modify router settings, or use the compromised device as a bot in a larger botnet. The vulnerability affects all D-Link DIR-513 v1.10 devices still in operation, although the exact number of vulnerable devices is unknown due to the product's end-of-life status.

Recommendation

  • Identify and immediately decommission any D-Link DIR-513 v1.10 routers on your network to eliminate the risk of exploitation of CVE-2026-6013.
  • Deploy the provided Sigma rule to detect suspicious POST requests to /goform/formSetRoute with abnormally long curTime parameters (see Sigma rule: "Detect Suspicious Long curTime Parameter").
  • Monitor web server logs for unusual activity related to the /goform/formSetRoute endpoint, as this is the primary attack vector (see logsource: category: webserver).

Detection coverage 2

Detect Suspicious Long curTime Parameter

high

Detects unusually long 'curTime' parameters in POST requests to '/goform/formSetRoute', indicative of a potential buffer overflow attempt (CVE-2026-6013).

sigma tactics: initial_access techniques: T1189, T1190 sources: webserver, linux

Detect Access to D-Link DIR-513 formSetRoute

medium

Detects POST requests to the /goform/formSetRoute endpoint on D-Link DIR-513 routers, which may indicate attempts to exploit CVE-2026-6013.

sigma tactics: initial_access techniques: T1189 sources: webserver, linux

Detection queries are available on the platform. Get full rules →