https://feed.craftedsignal.io/vendors/d-link/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 28 Apr 2026 15:16:37 +0000https://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/Tue, 28 Apr 2026 15:16:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/D-Link DIR-825M version 1.1.12 is vulnerable to a buffer overflow via manipulation of the submit-url argument in the /boafrm/formWanConfigSetup file's sub_414BA8 function, allowing a remote attacker to execute arbitrary code.A buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the sub_414BA8 function of the /boafrm/formWanConfigSetup file. An attacker can exploit this flaw by manipulating the submit-url argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.
2. The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWanConfigSetup endpoint.
3. The attacker includes the submit-url argument in the POST request, injecting a buffer overflow payload.
4. The crafted payload overflows the buffer in the sub_414BA8 function during the processing of the submit-url argument.
5. The buffer overflow overwrites critical memory regions, including the return address.
6. When the sub_414BA8 function returns, control is redirected to the attacker-controlled address.
7. The attacker’s payload executes arbitrary code, potentially downloading and executing a secondary payload.
8. The attacker gains remote shell access to the router.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.

Recommendation

• Apply available firmware updates from D-Link to patch CVE-2026-7289.
• Deploy the following Sigma rule to detect suspicious POST requests to /boafrm/formWanConfigSetup with overly long submit-url parameters.
• Monitor web server logs for suspicious activity related to the /boafrm/formWanConfigSetup endpoint.

]]>criticaladvisorybuffer-overflowrouterdlinkcvehttps://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/Tue, 28 Apr 2026 09:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/A buffer overflow vulnerability in the D-Link DI-8100 router allows remote attackers to execute arbitrary code by manipulating the 'fn' argument in the tgfile_htm function of the CGI endpoint.A critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the tgfile_htm function of the tgfile.htm file, a component of the CGI endpoint. By crafting a malicious request targeting the fn argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.

Attack Chain

1. The attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.
2. The attacker crafts a malicious HTTP request targeting the tgfile.htm CGI endpoint.
3. The malicious request includes an overly long string in the fn argument.
4. The router’s web server processes the request and passes the fn argument to the tgfile_htm function.
5. The tgfile_htm function fails to properly validate the length of the fn argument.
6. A buffer overflow occurs when the overly long fn argument is copied into a fixed-size buffer.
7. The buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.
8. The attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.

Recommendation

• Monitor web server logs for abnormally long fn parameters in requests to /tgfile.htm using the provided Sigma rule to detect potential exploitation attempts.
• Implement rate limiting on HTTP requests to the router’s web interface to mitigate brute-force exploitation attempts.
• Since the source material only identifies a vulnerability, without a patch, consider replacing the affected device.

]]>criticaladvisorycve-2026-7248buffer-overflowd-linkrouterhttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir822-cmd-injection/Mon, 27 Apr 2026 00:20:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir822-cmd-injection/A command injection vulnerability exists in D-Link DIR-822 A_101, specifically within the udhcpd DHCP service; by manipulating the Hostname argument, a remote attacker can inject commands, but the affected product is no longer supported.A command injection vulnerability, tracked as CVE-2026-7067, has been identified in D-Link DIR-822 hardware with firmware version A_101. The vulnerability lies within the udhcpd DHCP service, specifically in the handling of the Hostname argument in the /udhcpcd/dhcpd.c file. A remote attacker can exploit this flaw by injecting arbitrary commands through a crafted Hostname field in a DHCP request. While a proof-of-concept exploit is publicly available, this vulnerability is less impactful because the D-Link DIR-822 A_101 is no longer supported by the vendor, potentially limiting the number of affected devices.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-822 A_101 device.
2. The attacker crafts a malicious DHCP request containing a command injection payload in the Hostname field.
3. The attacker sends the crafted DHCP request to the vulnerable device.
4. The udhcpd service parses the DHCP request and extracts the Hostname.
5. Due to insufficient input validation, the injected command within the Hostname is passed to the system function.
6. The system function executes the injected command with the privileges of the udhcpd process (typically root).
7. The attacker achieves arbitrary code execution on the device.
8. The attacker can then perform actions such as gaining persistent access, modifying device configuration, or using the device as part of a botnet.

Impact

Successful exploitation of this command injection vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected D-Link DIR-822 A_101 device. Given the end-of-life status of the product, patching is unlikely, leaving devices vulnerable. An attacker could leverage this vulnerability to gain complete control of the router, potentially compromising networks connected to it. The specific number of vulnerable devices is unknown, but the impact could be significant if many devices remain in use.

Recommendation

• Deploy the Sigma rule to detect command injection attempts via DHCP Hostname (Sigma rule: DHCP Hostname Command Injection).
• Monitor network traffic for suspicious DHCP requests containing unusual characters or command sequences in the Hostname field, using network monitoring tools.
• Consider network segmentation to isolate potentially vulnerable D-Link DIR-822 A_101 devices from critical network resources.
• If replacement is not immediately feasible, implement strict access control lists on the firewall to limit access to the D-Link DIR-822 A_101 device’s management interface.

]]>highadvisorycommand-injectiondhcpiothttps://feed.craftedsignal.io/briefs/2026-04-dlink-brute-force-bypass/Fri, 24 Apr 2026 04:16:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-brute-force-bypass/D-Link DWM-222W USB Wi-Fi Adapter is vulnerable to brute-force attacks due to a protection bypass, allowing unauthenticated adjacent network attackers to gain control over the device by circumventing login attempt limits.The D-Link DWM-222W USB Wi-Fi Adapter is susceptible to a brute-force protection bypass vulnerability (CVE-2026-6947). This flaw allows an attacker on an adjacent network to circumvent the built-in login attempt limits. By repeatedly attempting different credentials without being blocked, an attacker can successfully brute-force the password and gain unauthorized access to the device. This vulnerability poses a significant risk as it enables attackers to potentially reconfigure the device, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Successful exploitation leads to full control over the D-Link Wi-Fi adapter.

Attack Chain

1. The attacker locates a vulnerable D-Link DWM-222W USB Wi-Fi Adapter within adjacent network range.
2. The attacker initiates network communication with the device, targeting its login interface, likely via HTTP or HTTPS.
3. The attacker sends a series of login requests with different username and password combinations.
4. Due to the brute-force protection bypass, the device does not enforce login attempt limits or implement account lockout mechanisms.
5. The attacker continues sending login requests until the correct credentials are found.
6. Upon successful authentication, the attacker gains administrative access to the D-Link DWM-222W USB Wi-Fi Adapter’s configuration interface.
7. The attacker reconfigures the device to their specifications potentially enabling remote access.

Impact

Successful exploitation of CVE-2026-6947 allows an attacker to gain complete control over the D-Link DWM-222W USB Wi-Fi Adapter. This can lead to unauthorized access to the network it connects to, data interception, or the device being used as a launchpad for further attacks within the network. The impact is significant, as it bypasses standard security measures and grants full administrative privileges to the attacker.

Recommendation

• Monitor network traffic for excessive authentication attempts targeting the D-Link DWM-222W USB Wi-Fi Adapter to detect potential brute-force attacks. Deploy the Sigma rule Detect Excessive Authentication Attempts to identify such activity.
• Implement network segmentation to limit the impact of a compromised D-Link DWM-222W USB Wi-Fi Adapter.
• If possible, disable remote management interfaces on the D-Link DWM-222W USB Wi-Fi Adapter to reduce the attack surface.

]]>highadvisorybrute-forcecredential-accessnetwork-devicehttps://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.A new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai’s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.

Attack Chain

1. The attacker sends a POST request to the /goform/set_prohibiting endpoint on the D-Link DIR-823X router.
2. The POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.
3. The injected commands change directories across writable paths on the router.
4. A shell script named dlink.sh is downloaded from an external IP address.
5. The dlink.sh script is executed on the compromised router.
6. The script installs a Mirai-based malware variant named “tuxnokill”.
7. “tuxnokill” establishes persistence and begins scanning for new targets.
8. The compromised device is then used to launch DDoS attacks, leveraging Mirai’s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.

Impact

Successful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.

Recommendation

• Monitor network traffic for POST requests to the /goform/set_prohibiting endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Mirai dlink.sh Download to identify attempts to download the malicious shell script.
• If using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.
• Block the external IP address hosting the dlink.sh script if it can be reliably determined and is observed on your network.

]]>criticaladvisorymiraiddosrceiothttps://feed.craftedsignal.io/briefs/2024-01-dlink-dir825-buffer-overflow/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-dlink-dir825-buffer-overflow/A buffer overflow vulnerability (CVE-2026-7069) exists in the AddPortMapping function of the miniupnpd component within D-Link DIR-825 routers (up to version 3.00b32), potentially enabling attackers on the local network to execute arbitrary code.A buffer overflow vulnerability, identified as CVE-2026-7069, has been discovered in D-Link DIR-825 routers with firmware versions up to 3.00b32. The vulnerability resides within the AddPortMapping function of the upnpsoap.c file, part of the miniupnpd component. An attacker on the local network can exploit this vulnerability by manipulating the NewPortMappingDescription argument, leading to a buffer overflow. Given that the exploit is publicly available, the risk of exploitation is elevated. This vulnerability is especially critical as it affects end-of-life products, meaning that official patches are unlikely to be released.

Attack Chain

1. Attacker gains access to the local network, either through physical access or compromising a device on the network.
2. The attacker identifies a vulnerable D-Link DIR-825 router running a firmware version up to 3.00b32.
3. The attacker crafts a malicious SOAP request targeting the UPnP service on the router.
4. The crafted request includes a NewPortMappingDescription argument with a payload exceeding the buffer’s capacity in the AddPortMapping function within upnpsoap.c.
5. The router’s miniupnpd component processes the SOAP request, triggering the buffer overflow when writing the overly long NewPortMappingDescription.
6. The buffer overflow overwrites adjacent memory locations, potentially including critical function pointers or return addresses.
7. The attacker redirects execution flow to malicious code injected into the overflowed buffer.
8. The attacker executes arbitrary code on the router, potentially gaining full control of the device or using it as a pivot point to attack other devices on the network.

Impact

Successful exploitation of CVE-2026-7069 allows an attacker on the local network to execute arbitrary code on the vulnerable D-Link DIR-825 router. This can lead to complete compromise of the router, allowing the attacker to eavesdrop on network traffic, modify DNS settings, or use the router to launch attacks against other devices within the network or on the internet. Given the end-of-life status of the affected devices, a large number of potentially vulnerable routers may remain in use, making this a significant threat.

Recommendation

• Disable UPnP on D-Link DIR-825 routers where possible to prevent exploitation of CVE-2026-7069.
• Monitor network traffic for suspicious SOAP requests targeting the UPnP service (miniupnpd) on internal network devices using a network intrusion detection system (NIDS). Deploy the Sigma rule targeting HTTP POST requests to the UPnP service.
• Segment networks to limit the impact of a compromised router in case of successful exploitation.

]]>highadvisorybuffer-overflowcveminiupnpdd-link