{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/d-link-dir-513/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["D-Link DIR-513"],"_cs_severities":["critical"],"_cs_tags":["cve","stack-overflow","d-link","network-device"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eCVE-2026-4555 describes a critical stack-based buffer overflow vulnerability affecting D-Link DIR-513 version 1.10. The vulnerability resides within the \u003ccode\u003eformEasySetTimezone\u003c/code\u003e function, specifically in the \u003ccode\u003e/goform/formEasySetTimezone\u003c/code\u003e file of the \u003ccode\u003eboa\u003c/code\u003e component. Attackers can exploit this flaw by manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument, leading to arbitrary code execution. This vulnerability is remotely exploitable and has a publicly available exploit, increasing the risk of widespread attacks. Since D-Link DIR-513 is no longer supported, patching is not an option, making unpatched devices vulnerable. This lack of support and the ease of exploitation pose a significant threat to users who still operate these devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-513 device running firmware version 1.10.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/formEasySetTimezone\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially crafted \u003ccode\u003ecurTime\u003c/code\u003e argument designed to overflow the buffer.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eboa\u003c/code\u003e web server processes the request and calls the \u003ccode\u003eformEasySetTimezone\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the \u003ccode\u003ecurTime\u003c/code\u003e argument overflows the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects control flow to a malicious payload injected within the overflow.\u003c/li\u003e\n\u003cli\u003eThe payload executes arbitrary commands on the device, potentially granting the attacker full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4555 allows remote attackers to execute arbitrary code on vulnerable D-Link DIR-513 devices. This could lead to complete device compromise, allowing attackers to modify device settings, eavesdrop on network traffic, or use the device as a bot in a larger botnet. Since the affected product is no longer supported, a patch is unlikely, leaving users with vulnerable devices exposed to potential attacks indefinitely. This can lead to significant security breaches and potential data compromise for home and small business users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-513 Timezone Overflow Attempt\u003c/code\u003e to identify attempts to exploit CVE-2026-4555 via HTTP requests (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate vulnerable D-Link DIR-513 devices from critical network resources if immediate replacement is not feasible.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to block requests containing excessively long \u003ccode\u003ecurTime\u003c/code\u003e parameters to mitigate exploit attempts (logsource: firewall).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from D-Link DIR-513 devices, as this could indicate a compromised device performing malicious actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-dlink-stack-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4555) exists in the formEasySetTimezone function of the /goform/formEasySetTimezone file within the boa component of D-Link DIR-513 1.10, allowing remote attackers to execute arbitrary code.","title":"D-Link DIR-513 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-26-dlink-stack-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6012"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["D-Link DIR-513"],"_cs_severities":["high"],"_cs_tags":["cve-2026-6012","buffer-overflow","d-link"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-6012, has been identified in D-Link DIR-513 version 1.10. This vulnerability resides within the \u003ccode\u003eformSetPassword\u003c/code\u003e function of the \u003ccode\u003e/goform/formSetPassword\u003c/code\u003e component, specifically affecting the POST Request Handler. The vulnerability can be triggered by manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument, leading to a buffer overflow condition. While a public exploit exists, it is important to note that the D-Link DIR-513 is no longer supported by the vendor. This vulnerability allows a remote attacker to potentially execute arbitrary code or cause a denial-of-service condition on the affected device. Given the end-of-life status of the device, patching is not a viable mitigation strategy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-513 device running firmware version 1.10.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/formSetPassword\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker manipulates the \u003ccode\u003ecurTime\u003c/code\u003e argument with a payload exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformSetPassword\u003c/code\u003e function processes the malicious POST request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e argument overflows the allocated buffer, potentially overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to the execution of arbitrary code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device, potentially gaining access to sensitive information or using the device as a bot in a larger attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected D-Link DIR-513 device. Given the nature of the device, this could lead to unauthorized access to the network, data exfiltration, or the device being used as part of a botnet. While the device is no longer supported, there may still be vulnerable devices in operation, especially in home or small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-513 formSetPassword Buffer Overflow Attempt\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint (webserver logs).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate potentially vulnerable D-Link DIR-513 devices from critical network resources.\u003c/li\u003e\n\u003cli\u003eSince the device is end-of-life, consider replacing the device with a supported and patched alternative to fully remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/goform/formSetPassword\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dlink-buffer-overflow/","summary":"A buffer overflow vulnerability exists in D-Link DIR-513 1.10 within the formSetPassword function of the /goform/formSetPassword POST Request Handler; successful exploitation via manipulation of the curTime argument could be achieved remotely, although the affected product is no longer supported.","title":"D-Link DIR-513 Buffer Overflow Vulnerability (CVE-2026-6012)","url":"https://feed.craftedsignal.io/briefs/2024-01-dlink-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - D-Link DIR-513","version":"https://jsonfeed.org/version/1.1"}