<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-6013 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-6013/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:45:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-6013/feed.xml" rel="self" type="application/rss+xml"/><item><title>D-Link DIR-513 v1.10 Remote Buffer Overflow Vulnerability (CVE-2026-6013)</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-dlink-dir-513-overflow/</link><pubDate>Wed, 03 Jan 2024 18:45:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-dlink-dir-513-overflow/</guid><description>A remote buffer overflow vulnerability exists in the formSetRoute function of the D-Link DIR-513 v1.10 router's web interface, triggered by manipulating the 'curTime' argument in a POST request, potentially allowing unauthenticated attackers to execute arbitrary code; this vulnerability affects an end-of-life product with a public exploit.</description><content:encoded><![CDATA[<p>CVE-2026-6013 describes a critical buffer overflow vulnerability in the D-Link DIR-513 router, specifically version 1.10. The vulnerability lies within the <code>formSetRoute</code> function of the <code>/goform/formSetRoute</code> file, which handles POST requests. An attacker can exploit this flaw by manipulating the <code>curTime</code> argument in a crafted POST request, leading to a buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code on the device. Public exploits are reportedly available, increasing the risk of exploitation. However, D-Link has reached end-of-life for the DIR-513 product line, meaning no patch will be released, so any vulnerable device needs to be taken offline.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable D-Link DIR-513 router (v1.10) accessible over the network.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>/goform/formSetRoute</code> endpoint.</li>
<li>Within the POST request, the attacker includes the <code>curTime</code> argument with a value exceeding the expected buffer size.</li>
<li>The web server on the D-Link DIR-513 receives the malicious POST request.</li>
<li>The <code>formSetRoute</code> function processes the request and attempts to copy the overly long <code>curTime</code> value into a fixed-size buffer without proper bounds checking.</li>
<li>The buffer overflow occurs, overwriting adjacent memory regions.</li>
<li>By carefully crafting the overflowing data, the attacker can overwrite critical data such as return addresses.</li>
<li>When the <code>formSetRoute</code> function returns, it jumps to the attacker-controlled address, leading to arbitrary code execution on the router, achieving full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-6013 can lead to arbitrary code execution on the vulnerable D-Link DIR-513 router. This could allow an attacker to gain complete control of the device, potentially enabling them to eavesdrop on network traffic, modify router settings, or use the compromised device as a bot in a larger botnet. The vulnerability affects all D-Link DIR-513 v1.10 devices still in operation, although the exact number of vulnerable devices is unknown due to the product's end-of-life status.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Identify and immediately decommission any D-Link DIR-513 v1.10 routers on your network to eliminate the risk of exploitation of CVE-2026-6013.</li>
<li>Deploy the provided Sigma rule to detect suspicious POST requests to <code>/goform/formSetRoute</code> with abnormally long <code>curTime</code> parameters (see Sigma rule: &quot;Detect Suspicious Long curTime Parameter&quot;).</li>
<li>Monitor web server logs for unusual activity related to the <code>/goform/formSetRoute</code> endpoint, as this is the primary attack vector (see logsource: category: webserver).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-6013</category><category>buffer-overflow</category><category>dlink</category><category>router</category></item></channel></rss>