Numerous severe vulnerabilities in D-Link router variants could permit distant attackers to run arbitrary code and acquire unauthorized access to the network framework.
Summary
1. Six severe vulnerabilities in D-Link DIR-816 routers permit remote code execution (CVSS 9.8)
2. Buffer overflow and command injection exploits facilitate complete control of the router via its web interface.
3. No security updates provided - all DIR-816 models are End-of-Life with persistent vulnerabilities.The vulnerabilities impact every hardware revision and firmware version of the non-US DIR-816 models, which have now reached their End-of-Life (EOL) designation.
Buffer Overflow Issues Allow Remote Code Execution
Four out of the six vulnerabilities are categorized as critical stack-based buffer overflow exploits with CVSS ratings of 9.8, denoting the highest level of severity.
These issues encompass CVE-2025-5622 affecting the wirelessApcli_5g function in /goform/wirelessApcli_5g, where manipulation of parameters apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g results in memory corruption.
CVE-2025-5623 and CVE-2025-5624 both exploit the qosClassifier function in /goform/qosClassifier, taking advantage of the dip_address and sip_address arguments to initiate stack-based buffer overflows.
A critical flaw, CVE-2025-5630, impacts the /goform/form2lansetup.cgi file through manipulation of the IP parameter.
These vulnerabilities are identified under CWE-121 (Stack-based Buffer Overflow) and CWE-119 (Memory Corruption) categories, enabling attackers to overwrite memory sections and potentially run malicious code with administrative rights.
Command Injection Vulnerabilities
Two additional serious vulnerabilities involve operating system command injection attacks. CVE-2025-5620 targets the setipsec_config function in /goform/setipsec_config, where attackers can alter localIP and remoteIP parameters to inject arbitrary system commands.
Similarly, CVE-2025-5621 exploits the same qosClassifier function via dip_address and sip_address parameters.
These command injection vulnerabilities, categorized under CWE-78 (OS Command Injection) and CWE-77 (Command Injection), have CVSS scores of 7.3 and empower attackers to execute unauthorized operating system commands from a distance.
| CVEs | Description | CVSS 3.1 Score |
| CVE-2025-5622 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5623 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5624 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5630 | Stack-based buffer overflow | 9.8 (Critical) |
| CVE-2025-5620 | OS command injection | 7.3 (High) |
| CVE-2025-5621 | OS command injection | 7.3 (High) |
Immediate Device Retirement Advised
The vulnerabilities were first revealed by security researcher pjqwudi through VULdb Disclosure, emphasizing the critical nature of these network infrastructure security weaknesses.
D-Link has officially marked all DIR-816 models as End-of-Service (EOS), indicating that no firmware updates or security patches will be made available.
The firm strongly urges immediate retirement of these devices, cautioning that ongoing usage presents significant security hazards to connected networks.
Users are encouraged to shift to current-generation products with ongoing firmware development, conduct thorough data backups, and reach out to D-Link regional offices for recommendations on replacements.
The post Numerous Severe Vulnerabilities in D-Link Routers Enable Remote Execution of Arbitrary Code appeared first on Cyber Security News.