{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/d-link/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7248"}],"_cs_exploited":false,"_cs_products":["DI-8100"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7248","buffer-overflow","d-link","router"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the \u003ccode\u003etgfile_htm\u003c/code\u003e function of the \u003ccode\u003etgfile.htm\u003c/code\u003e file, a component of the CGI endpoint. By crafting a malicious request targeting the \u003ccode\u003efn\u003c/code\u003e argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etgfile.htm\u003c/code\u003e CGI endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes an overly long string in the \u003ccode\u003efn\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the request and passes the \u003ccode\u003efn\u003c/code\u003e argument to the \u003ccode\u003etgfile_htm\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etgfile_htm\u003c/code\u003e function fails to properly validate the length of the \u003ccode\u003efn\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eA buffer overflow occurs when the overly long \u003ccode\u003efn\u003c/code\u003e argument is copied into a fixed-size buffer.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for abnormally long \u003ccode\u003efn\u003c/code\u003e parameters in requests to \u003ccode\u003e/tgfile.htm\u003c/code\u003e using the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP requests to the router\u0026rsquo;s web interface to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eSince the source material only identifies a vulnerability, without a patch, consider replacing the affected device.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T09:16:18Z","date_published":"2026-04-28T09:16:18Z","id":"/briefs/2026-04-dlink-di-8100-bo/","summary":"A buffer overflow vulnerability in the D-Link DI-8100 router allows remote attackers to execute arbitrary code by manipulating the 'fn' argument in the tgfile_htm function of the CGI endpoint.","title":"D-Link DI-8100 Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5980"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router","d-link"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e component\u0026rsquo;s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious \u003ccode\u003ecurTime\u003c/code\u003e argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product\u0026rsquo;s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003ecurTime\u003c/code\u003e parameter, injecting a string exceeding the buffer\u0026rsquo;s expected size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformSetMACFilter\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003ecurTime\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e string overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-605L Buffer Overflow Attempt\u003c/code\u003e to identify malicious POST requests targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint on D-Link DIR-605L devices.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.\u003c/li\u003e\n\u003cli\u003eIf possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:14Z","date_published":"2026-04-09T21:16:14Z","id":"/briefs/2026-04-dlink-dir605l-buffer-overflow/","summary":"A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability (CVE-2026-5980)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5844"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","d-link","router","cve-2026-5844"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5844 describes a critical command injection vulnerability affecting D-Link DIR-882 routers running firmware version 1.01B02. The vulnerability resides in the \u003ccode\u003esprintf\u003c/code\u003e function within the \u003ccode\u003eprog.cgi\u003c/code\u003e script, specifically within the HNAP1 SetNetworkSettings Handler. A remote, unauthenticated attacker can exploit this flaw by manipulating the \u003ccode\u003eIPAddress\u003c/code\u003e argument, injecting arbitrary OS commands that are then executed with elevated privileges. The vulnerability is considered critical due to the potential for complete system compromise and the availability of a public exploit. This vulnerability impacts products that are no longer supported by the maintainer, increasing the risk for users who have not migrated to newer devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-882 router running firmware version 1.01B02.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003eprog.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request targets the HNAP1 SetNetworkSettings Handler.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eIPAddress\u003c/code\u003e argument within the HTTP request, injecting malicious OS commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esprintf\u003c/code\u003e function in \u003ccode\u003eprog.cgi\u003c/code\u003e processes the attacker-controlled \u003ccode\u003eIPAddress\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed on the router\u0026rsquo;s operating system due to the command injection vulnerability in \u003ccode\u003esprintf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as modifying router settings, eavesdropping on network traffic, or using the router as a botnet node.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5844 allows a remote attacker to execute arbitrary OS commands on the vulnerable D-Link DIR-882 router. This can lead to a complete compromise of the device, enabling attackers to reconfigure the router, intercept network traffic, or use the compromised device as part of a botnet. The vulnerability affects end-of-life products, meaning no official patches are available. The impact is significant due to the widespread use of these routers in home and small business networks, where they can act as a gateway to internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-882 Command Injection Attempt\u003c/code\u003e to detect suspicious requests to \u003ccode\u003eprog.cgi\u003c/code\u003e containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eBlock access to the URL \u003ccode\u003ehttps://files.catbox.moe/ei31k1.zip\u003c/code\u003e to prevent the download of the publicly available exploit (IOC).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003eprog.cgi\u003c/code\u003e with unusually long \u003ccode\u003eIPAddress\u003c/code\u003e parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) rules to identify and block exploit attempts targeting CVE-2026-5844 (log source: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T05:16:06Z","date_published":"2026-04-09T05:16:06Z","id":"/briefs/2026-04-dlink-command-injection/","summary":"A command injection vulnerability (CVE-2026-5844) exists in the D-Link DIR-882 router version 1.01B02, allowing a remote attacker to execute arbitrary OS commands by manipulating the IPAddress argument in the HNAP1 SetNetworkSettings Handler via the prog.cgi script.","title":"D-Link DIR-882 Remote Command Injection Vulnerability (CVE-2026-5844)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["d-link","router","airsnitch","vulnerability","network-traffic-manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026lsquo;Airsnitch\u0026rsquo; vulnerability affects D-LINK Router models M60 and DIR-3040. An attacker positioned within an adjacent network can exploit this flaw to circumvent security protocols. This access allows the attacker to potentially expose sensitive data and manipulate network traffic. The specifics of the vulnerability exploitation are not detailed in this advisory, but the impact suggests a significant compromise of network security and data integrity. Defenders should prioritize identifying and mitigating this vulnerability to prevent unauthorized access and data breaches. This vulnerability poses a risk to both home and enterprise networks utilizing the affected D-LINK router models.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to an adjacent network, either physically or via compromised wireless access.\u003c/li\u003e\n\u003cli\u003eAttacker sends crafted network packets targeting the D-LINK router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Airsnitch\u0026rsquo; vulnerability is exploited, bypassing authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the router\u0026rsquo;s configuration settings.\u003c/li\u003e\n\u003cli\u003eAttacker modifies DNS settings to redirect traffic to malicious servers.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts and analyzes network traffic, capturing sensitive information like usernames and passwords.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious code into network traffic, potentially compromising other devices on the network.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access by creating a rogue administrator account or installing malicious firmware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the \u0026lsquo;Airsnitch\u0026rsquo; vulnerability can lead to significant compromise of network security. Attackers can gain unauthorized access to sensitive information, manipulate network traffic, and potentially compromise other devices on the network. This can result in data breaches, financial losses, and reputational damage. The number of potential victims is significant, given the widespread use of D-LINK routers in both home and enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAnalyze network traffic for suspicious patterns indicative of unauthorized access attempts to the D-LINK router\u0026rsquo;s management interface to facilitate tuning of existing firewall rules and creation of new rules.\u003c/li\u003e\n\u003cli\u003eMonitor DNS settings on D-LINK routers for unauthorized modifications using network monitoring tools.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on the adjacent network to limit the attacker\u0026rsquo;s ability to reach the D-LINK routers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T09:58:56Z","date_published":"2026-04-08T09:58:56Z","id":"/briefs/2026-04-dlink-router-vulnerability/","summary":"The 'Airsnitch' vulnerability in D-LINK Router M60 and DIR-3040 allows an attacker from an adjacent network to bypass security measures, disclose confidential information, and manipulate network traffic.","title":"D-LINK Router M60 and DIR-3040 'Airsnitch' Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-7069"}],"_cs_exploited":false,"_cs_products":["DIR-825"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","cve","miniupnpd","d-link"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-7069, has been discovered in D-Link DIR-825 routers with firmware versions up to 3.00b32. The vulnerability resides within the \u003ccode\u003eAddPortMapping\u003c/code\u003e function of the \u003ccode\u003eupnpsoap.c\u003c/code\u003e file, part of the \u003ccode\u003eminiupnpd\u003c/code\u003e component. An attacker on the local network can exploit this vulnerability by manipulating the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e argument, leading to a buffer overflow. Given that the exploit is publicly available, the risk of exploitation is elevated. This vulnerability is especially critical as it affects end-of-life products, meaning that official patches are unlikely to be released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the local network, either through physical access or compromising a device on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-825 router running a firmware version up to 3.00b32.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SOAP request targeting the UPnP service on the router.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e argument with a payload exceeding the buffer\u0026rsquo;s capacity in the \u003ccode\u003eAddPortMapping\u003c/code\u003e function within \u003ccode\u003eupnpsoap.c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eminiupnpd\u003c/code\u003e component processes the SOAP request, triggering the buffer overflow when writing the overly long \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory locations, potentially including critical function pointers or return addresses.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects execution flow to malicious code injected into the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control of the device or using it as a pivot point to attack other devices on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7069 allows an attacker on the local network to execute arbitrary code on the vulnerable D-Link DIR-825 router. This can lead to complete compromise of the router, allowing the attacker to eavesdrop on network traffic, modify DNS settings, or use the router to launch attacks against other devices within the network or on the internet. Given the end-of-life status of the affected devices, a large number of potentially vulnerable routers may remain in use, making this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable UPnP on D-Link DIR-825 routers where possible to prevent exploitation of CVE-2026-7069.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SOAP requests targeting the UPnP service (miniupnpd) on internal network devices using a network intrusion detection system (NIDS). Deploy the Sigma rule targeting HTTP POST requests to the UPnP service.\u003c/li\u003e\n\u003cli\u003eSegment networks to limit the impact of a compromised router in case of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-dlink-dir825-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-7069) exists in the AddPortMapping function of the miniupnpd component within D-Link DIR-825 routers (up to version 3.00b32), potentially enabling attackers on the local network to execute arbitrary code.","title":"D-Link DIR-825 Buffer Overflow Vulnerability in miniupnpd","url":"https://feed.craftedsignal.io/briefs/2024-01-dlink-dir825-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — D-Link","version":"https://jsonfeed.org/version/1.1"}