{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/dir-825m/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7289"}],"_cs_exploited":false,"_cs_products":["DIR-825M"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","router","dlink","cve"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the \u003ccode\u003esub_414BA8\u003c/code\u003e function of the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003esubmit-url\u003c/code\u003e argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003esubmit-url\u003c/code\u003e argument in the POST request, injecting a buffer overflow payload.\u003c/li\u003e\n\u003cli\u003eThe crafted payload overflows the buffer in the \u003ccode\u003esub_414BA8\u003c/code\u003e function during the processing of the \u003ccode\u003esubmit-url\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical memory regions, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esub_414BA8\u003c/code\u003e function returns, control is redirected to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload executes arbitrary code, potentially downloading and executing a secondary payload.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from D-Link to patch CVE-2026-7289.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious POST requests to \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e with overly long \u003ccode\u003esubmit-url\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T15:16:37Z","date_published":"2026-04-28T15:16:37Z","id":"/briefs/2026-04-dlink-buffer-overflow/","summary":"D-Link DIR-825M version 1.1.12 is vulnerable to a buffer overflow via manipulation of the submit-url argument in the /boafrm/formWanConfigSetup file's sub_414BA8 function, allowing a remote attacker to execute arbitrary code.","title":"D-Link DIR-825M Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — DIR-825M","version":"https://jsonfeed.org/version/1.1"}