Skip to content
Threat Feed
critical advisory

D-Link DIR-513 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability (CVE-2026-4555) exists in the formEasySetTimezone function of the /goform/formEasySetTimezone file within the boa component of D-Link DIR-513 1.10, allowing remote attackers to execute arbitrary code.

CVE-2026-4555 describes a critical stack-based buffer overflow vulnerability affecting D-Link DIR-513 version 1.10. The vulnerability resides within the formEasySetTimezone function, specifically in the /goform/formEasySetTimezone file of the boa component. Attackers can exploit this flaw by manipulating the curTime argument, leading to arbitrary code execution. This vulnerability is remotely exploitable and has a publicly available exploit, increasing the risk of widespread attacks. Since D-Link DIR-513 is no longer supported, patching is not an option, making unpatched devices vulnerable. This lack of support and the ease of exploitation pose a significant threat to users who still operate these devices.

Attack Chain

  1. The attacker identifies a vulnerable D-Link DIR-513 device running firmware version 1.10.
  2. The attacker crafts a malicious HTTP request targeting the /goform/formEasySetTimezone endpoint.
  3. The crafted request includes a specially crafted curTime argument designed to overflow the buffer.
  4. The boa web server processes the request and calls the formEasySetTimezone function.
  5. Due to insufficient input validation, the curTime argument overflows the stack buffer.
  6. The overflow overwrites critical data on the stack, including the return address.
  7. The attacker redirects control flow to a malicious payload injected within the overflow.
  8. The payload executes arbitrary commands on the device, potentially granting the attacker full control.

Impact

Successful exploitation of CVE-2026-4555 allows remote attackers to execute arbitrary code on vulnerable D-Link DIR-513 devices. This could lead to complete device compromise, allowing attackers to modify device settings, eavesdrop on network traffic, or use the device as a bot in a larger botnet. Since the affected product is no longer supported, a patch is unlikely, leaving users with vulnerable devices exposed to potential attacks indefinitely. This can lead to significant security breaches and potential data compromise for home and small business users.

Recommendation

  • Deploy the Sigma rule Detect D-Link DIR-513 Timezone Overflow Attempt to identify attempts to exploit CVE-2026-4555 via HTTP requests (logsource: webserver).
  • Implement network segmentation to isolate vulnerable D-Link DIR-513 devices from critical network resources if immediate replacement is not feasible.
  • Consider deploying a web application firewall (WAF) rule to block requests containing excessively long curTime parameters to mitigate exploit attempts (logsource: firewall).
  • Monitor network traffic for unusual activity originating from D-Link DIR-513 devices, as this could indicate a compromised device performing malicious actions.

Detection coverage 2

Detect D-Link DIR-513 Timezone Overflow Attempt

critical

Detects attempts to exploit CVE-2026-4555 by overflowing the curTime parameter in requests to /goform/formEasySetTimezone.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect D-Link DIR-513 Boa Access Log Tampering

high

Detects attempts to exploit CVE-2026-4555 by manipulating the boa component.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →