https://feed.craftedsignal.io/tags/d-link/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 28 Apr 2026 09:16:18 +0000https://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/Tue, 28 Apr 2026 09:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/A buffer overflow vulnerability in the D-Link DI-8100 router allows remote attackers to execute arbitrary code by manipulating the 'fn' argument in the tgfile_htm function of the CGI endpoint.A critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the tgfile_htm function of the tgfile.htm file, a component of the CGI endpoint. By crafting a malicious request targeting the fn argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.

Attack Chain

1. The attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.
2. The attacker crafts a malicious HTTP request targeting the tgfile.htm CGI endpoint.
3. The malicious request includes an overly long string in the fn argument.
4. The router’s web server processes the request and passes the fn argument to the tgfile_htm function.
5. The tgfile_htm function fails to properly validate the length of the fn argument.
6. A buffer overflow occurs when the overly long fn argument is copied into a fixed-size buffer.
7. The buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.
8. The attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.

Recommendation

• Monitor web server logs for abnormally long fn parameters in requests to /tgfile.htm using the provided Sigma rule to detect potential exploitation attempts.
• Implement rate limiting on HTTP requests to the router’s web interface to mitigate brute-force exploitation attempts.
• Since the source material only identifies a vulnerability, without a patch, consider replacing the affected device.

]]>criticaladvisorycve-2026-7248buffer-overflowd-linkrouterhttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/Thu, 09 Apr 2026 21:16:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.CVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the formSetMACFilter function within the /goform/formSetMACFilter component’s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious curTime argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product’s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.
2. The attacker crafts a malicious POST request targeting the /goform/formSetMACFilter endpoint.
3. Within the POST request, the attacker includes the curTime parameter, injecting a string exceeding the buffer’s expected size.
4. The router’s formSetMACFilter function processes the POST request without proper bounds checking on the curTime argument.
5. The oversized curTime string overflows the buffer, overwriting adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.
7. When the formSetMACFilter function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.
8. The attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.

Impact

Successful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.

Recommendation

• Deploy the Sigma rule Detect D-Link DIR-605L Buffer Overflow Attempt to identify malicious POST requests targeting the /goform/formSetMACFilter endpoint on D-Link DIR-605L devices.
• Implement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.
• If possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.

]]>criticaladvisorycvebuffer_overflowrouterd-linkhttps://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/Thu, 09 Apr 2026 05:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/A command injection vulnerability (CVE-2026-5844) exists in the D-Link DIR-882 router version 1.01B02, allowing a remote attacker to execute arbitrary OS commands by manipulating the IPAddress argument in the HNAP1 SetNetworkSettings Handler via the prog.cgi script.CVE-2026-5844 describes a critical command injection vulnerability affecting D-Link DIR-882 routers running firmware version 1.01B02. The vulnerability resides in the sprintf function within the prog.cgi script, specifically within the HNAP1 SetNetworkSettings Handler. A remote, unauthenticated attacker can exploit this flaw by manipulating the IPAddress argument, injecting arbitrary OS commands that are then executed with elevated privileges. The vulnerability is considered critical due to the potential for complete system compromise and the availability of a public exploit. This vulnerability impacts products that are no longer supported by the maintainer, increasing the risk for users who have not migrated to newer devices.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-882 router running firmware version 1.01B02.
2. The attacker sends a crafted HTTP request to the prog.cgi endpoint.
3. The HTTP request targets the HNAP1 SetNetworkSettings Handler.
4. The attacker manipulates the IPAddress argument within the HTTP request, injecting malicious OS commands.
5. The sprintf function in prog.cgi processes the attacker-controlled IPAddress argument without proper sanitization.
6. The injected OS commands are executed on the router’s operating system due to the command injection vulnerability in sprintf.
7. The attacker gains remote code execution on the router.
8. The attacker can then perform actions such as modifying router settings, eavesdropping on network traffic, or using the router as a botnet node.

Impact

Successful exploitation of CVE-2026-5844 allows a remote attacker to execute arbitrary OS commands on the vulnerable D-Link DIR-882 router. This can lead to a complete compromise of the device, enabling attackers to reconfigure the router, intercept network traffic, or use the compromised device as part of a botnet. The vulnerability affects end-of-life products, meaning no official patches are available. The impact is significant due to the widespread use of these routers in home and small business networks, where they can act as a gateway to internal systems.

Recommendation

• Deploy the Sigma rule Detect D-Link DIR-882 Command Injection Attempt to detect suspicious requests to prog.cgi containing shell metacharacters.
• Block access to the URL https://files.catbox.moe/ei31k1.zip to prevent the download of the publicly available exploit (IOC).
• Monitor web server logs for HTTP requests to prog.cgi with unusually long IPAddress parameters (log source: webserver).
• Implement network intrusion detection systems (IDS) rules to identify and block exploit attempts targeting CVE-2026-5844 (log source: network_connection).

]]>criticaladvisorycommand-injectiond-linkroutercve-2026-5844https://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/Wed, 08 Apr 2026 09:58:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/The 'Airsnitch' vulnerability in D-LINK Router M60 and DIR-3040 allows an attacker from an adjacent network to bypass security measures, disclose confidential information, and manipulate network traffic.The ‘Airsnitch’ vulnerability affects D-LINK Router models M60 and DIR-3040. An attacker positioned within an adjacent network can exploit this flaw to circumvent security protocols. This access allows the attacker to potentially expose sensitive data and manipulate network traffic. The specifics of the vulnerability exploitation are not detailed in this advisory, but the impact suggests a significant compromise of network security and data integrity. Defenders should prioritize identifying and mitigating this vulnerability to prevent unauthorized access and data breaches. This vulnerability poses a risk to both home and enterprise networks utilizing the affected D-LINK router models.

Attack Chain

1. Attacker gains access to an adjacent network, either physically or via compromised wireless access.
2. Attacker sends crafted network packets targeting the D-LINK router’s management interface.
3. The ‘Airsnitch’ vulnerability is exploited, bypassing authentication or authorization checks.
4. Attacker gains unauthorized access to the router’s configuration settings.
5. Attacker modifies DNS settings to redirect traffic to malicious servers.
6. Attacker intercepts and analyzes network traffic, capturing sensitive information like usernames and passwords.
7. Attacker injects malicious code into network traffic, potentially compromising other devices on the network.
8. Attacker maintains persistent access by creating a rogue administrator account or installing malicious firmware.

Impact

Successful exploitation of the ‘Airsnitch’ vulnerability can lead to significant compromise of network security. Attackers can gain unauthorized access to sensitive information, manipulate network traffic, and potentially compromise other devices on the network. This can result in data breaches, financial losses, and reputational damage. The number of potential victims is significant, given the widespread use of D-LINK routers in both home and enterprise environments.

Recommendation

• Analyze network traffic for suspicious patterns indicative of unauthorized access attempts to the D-LINK router’s management interface to facilitate tuning of existing firewall rules and creation of new rules.
• Monitor DNS settings on D-LINK routers for unauthorized modifications using network monitoring tools.
• Implement strict access control policies on the adjacent network to limit the attacker’s ability to reach the D-LINK routers.

]]>highadvisoryd-linkrouterairsnitchvulnerabilitynetwork-traffic-manipulationhttps://feed.craftedsignal.io/briefs/2024-01-dlink-dir825-buffer-overflow/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-dlink-dir825-buffer-overflow/A buffer overflow vulnerability (CVE-2026-7069) exists in the AddPortMapping function of the miniupnpd component within D-Link DIR-825 routers (up to version 3.00b32), potentially enabling attackers on the local network to execute arbitrary code.A buffer overflow vulnerability, identified as CVE-2026-7069, has been discovered in D-Link DIR-825 routers with firmware versions up to 3.00b32. The vulnerability resides within the AddPortMapping function of the upnpsoap.c file, part of the miniupnpd component. An attacker on the local network can exploit this vulnerability by manipulating the NewPortMappingDescription argument, leading to a buffer overflow. Given that the exploit is publicly available, the risk of exploitation is elevated. This vulnerability is especially critical as it affects end-of-life products, meaning that official patches are unlikely to be released.

Attack Chain

1. Attacker gains access to the local network, either through physical access or compromising a device on the network.
2. The attacker identifies a vulnerable D-Link DIR-825 router running a firmware version up to 3.00b32.
3. The attacker crafts a malicious SOAP request targeting the UPnP service on the router.
4. The crafted request includes a NewPortMappingDescription argument with a payload exceeding the buffer’s capacity in the AddPortMapping function within upnpsoap.c.
5. The router’s miniupnpd component processes the SOAP request, triggering the buffer overflow when writing the overly long NewPortMappingDescription.
6. The buffer overflow overwrites adjacent memory locations, potentially including critical function pointers or return addresses.
7. The attacker redirects execution flow to malicious code injected into the overflowed buffer.
8. The attacker executes arbitrary code on the router, potentially gaining full control of the device or using it as a pivot point to attack other devices on the network.

Impact

Successful exploitation of CVE-2026-7069 allows an attacker on the local network to execute arbitrary code on the vulnerable D-Link DIR-825 router. This can lead to complete compromise of the router, allowing the attacker to eavesdrop on network traffic, modify DNS settings, or use the router to launch attacks against other devices within the network or on the internet. Given the end-of-life status of the affected devices, a large number of potentially vulnerable routers may remain in use, making this a significant threat.

Recommendation

• Disable UPnP on D-Link DIR-825 routers where possible to prevent exploitation of CVE-2026-7069.
• Monitor network traffic for suspicious SOAP requests targeting the UPnP service (miniupnpd) on internal network devices using a network intrusion detection system (NIDS). Deploy the Sigma rule targeting HTTP POST requests to the UPnP service.
• Segment networks to limit the impact of a compromised router in case of successful exploitation.

]]>highadvisorybuffer-overflowcveminiupnpdd-link