{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dlink/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7289"}],"_cs_exploited":false,"_cs_products":["DIR-825M"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","router","dlink","cve"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the \u003ccode\u003esub_414BA8\u003c/code\u003e function of the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003esubmit-url\u003c/code\u003e argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003esubmit-url\u003c/code\u003e argument in the POST request, injecting a buffer overflow payload.\u003c/li\u003e\n\u003cli\u003eThe crafted payload overflows the buffer in the \u003ccode\u003esub_414BA8\u003c/code\u003e function during the processing of the \u003ccode\u003esubmit-url\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical memory regions, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esub_414BA8\u003c/code\u003e function returns, control is redirected to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload executes arbitrary code, potentially downloading and executing a secondary payload.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from D-Link to patch CVE-2026-7289.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious POST requests to \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e with overly long \u003ccode\u003esubmit-url\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T15:16:37Z","date_published":"2026-04-28T15:16:37Z","id":"/briefs/2026-04-dlink-buffer-overflow/","summary":"D-Link DIR-825M version 1.1.12 is vulnerable to a buffer overflow via manipulation of the submit-url argument in the /boafrm/formWanConfigSetup file's sub_414BA8 function, allowing a remote attacker to execute arbitrary code.","title":"D-Link DIR-825M Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5979"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dlink","router","buffer_overflow","cve-2026-5979"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-5979, has been identified in D-Link DIR-605L router with firmware version 2.13B01. The vulnerability resides in the \u003ccode\u003eformVirtualServ\u003c/code\u003e function within the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e component, specifically within the POST request handler. By manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument, a remote attacker can trigger a buffer overflow. According to the NVD, an exploit is publicly available, increasing the risk of exploitation. This vulnerability affects end-of-life products, making patching impossible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003ecurTime\u003c/code\u003e argument with a value exceeding the buffer\u0026rsquo;s capacity.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformVirtualServ\u003c/code\u003e function processes the POST request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e value overwrites adjacent memory regions on the stack or heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow payload to overwrite the return address.\u003c/li\u003e\n\u003cli\u003eUpon returning from the \u003ccode\u003eformVirtualServ\u003c/code\u003e function, control is transferred to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e with unusually long \u003ccode\u003ecurTime\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Suspiciously Long curTime Parameter in D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.\u003c/li\u003e\n\u003cli\u003eSince this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.\u003c/li\u003e\n\u003cli\u003eExamine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule \u0026ldquo;Detect Outbound Connections from D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:13Z","date_published":"2026-04-09T21:16:13Z","id":"/briefs/2026-04-dlink-dir605l-bo/","summary":"A remote buffer overflow vulnerability exists in the D-Link DIR-605L version 2.13B01 due to improper handling of the 'curTime' argument in the '/goform/formVirtualServ' POST request handler, potentially allowing attackers to execute arbitrary code.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/"}],"language":"en","title":"CraftedSignal Threat Feed — Dlink","version":"https://jsonfeed.org/version/1.1"}