{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dir-513/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6013"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DIR-513"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-6013","buffer-overflow","dlink","router"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eCVE-2026-6013 describes a critical buffer overflow vulnerability in the D-Link DIR-513 router, specifically version 1.10. The vulnerability lies within the \u003ccode\u003eformSetRoute\u003c/code\u003e function of the \u003ccode\u003e/goform/formSetRoute\u003c/code\u003e file, which handles POST requests. An attacker can exploit this flaw by manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument in a crafted POST request, leading to a buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code on the device. Public exploits are reportedly available, increasing the risk of exploitation. However, D-Link has reached end-of-life for the DIR-513 product line, meaning no patch will be released, so any vulnerable device needs to be taken offline.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-513 router (v1.10) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/formSetRoute\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003ecurTime\u003c/code\u003e argument with a value exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe web server on the D-Link DIR-513 receives the malicious POST request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformSetRoute\u003c/code\u003e function processes the request and attempts to copy the overly long \u003ccode\u003ecurTime\u003c/code\u003e value into a fixed-size buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the overflowing data, the attacker can overwrite critical data such as return addresses.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformSetRoute\u003c/code\u003e function returns, it jumps to the attacker-controlled address, leading to arbitrary code execution on the router, achieving full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6013 can lead to arbitrary code execution on the vulnerable D-Link DIR-513 router. This could allow an attacker to gain complete control of the device, potentially enabling them to eavesdrop on network traffic, modify router settings, or use the compromised device as a bot in a larger botnet. The vulnerability affects all D-Link DIR-513 v1.10 devices still in operation, although the exact number of vulnerable devices is unknown due to the product's end-of-life status.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify and immediately decommission any D-Link DIR-513 v1.10 routers on your network to eliminate the risk of exploitation of CVE-2026-6013.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious POST requests to \u003ccode\u003e/goform/formSetRoute\u003c/code\u003e with abnormally long \u003ccode\u003ecurTime\u003c/code\u003e parameters (see Sigma rule: \u0026quot;Detect Suspicious Long curTime Parameter\u0026quot;).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003e/goform/formSetRoute\u003c/code\u003e endpoint, as this is the primary attack vector (see logsource: category: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:45:00Z","date_published":"2024-01-03T18:45:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-dlink-dir-513-overflow/","summary":"A remote buffer overflow vulnerability exists in the formSetRoute function of the D-Link DIR-513 v1.10 router's web interface, triggered by manipulating the 'curTime' argument in a POST request, potentially allowing unauthenticated attackers to execute arbitrary code; this vulnerability affects an end-of-life product with a public exploit.","title":"D-Link DIR-513 v1.10 Remote Buffer Overflow Vulnerability (CVE-2026-6013)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-dlink-dir-513-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - DIR-513","version":"https://jsonfeed.org/version/1.1"}