Attack Chain

1. Attacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.
2. Attacker crafts a malicious HTTP POST request targeting the /goform/formVirtualServ endpoint.
3. The POST request includes the curTime argument with a value exceeding the buffer’s capacity.
4. The router’s formVirtualServ function processes the POST request without proper bounds checking.
5. The oversized curTime value overwrites adjacent memory regions on the stack or heap.
6. The attacker carefully crafts the overflow payload to overwrite the return address.
7. Upon returning from the formVirtualServ function, control is transferred to the attacker-controlled address.
8. The attacker executes arbitrary code on the router, potentially gaining full control.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.

Recommendation

• Monitor webserver logs for requests to /goform/formVirtualServ with unusually long curTime parameters to detect potential exploitation attempts (see Sigma rule “Detect Suspiciously Long curTime Parameter in D-Link Routers”).
• Implement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.
• Since this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.
• Examine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule “Detect Outbound Connections from D-Link Routers”).