A number of essential vulnerabilities in D-Hyperlink router fashions may enable distant attackers to execute arbitrary code and achieve unauthorized entry to the community infrastructure.
Abstract
1. Six essential vulnerabilities in D-Hyperlink DIR-816 routers enable distant code execution (CVSS 9.8)
2. Buffer overflow and command injection assaults allow full router takeover through the net interface.
3. No safety patches out there – all DIR-816 fashions are Finish-of-Life with everlasting vulnerabilities.
The vulnerabilities have an effect on all {hardware} revisions and firmware variations of the non-US DIR-816 fashions, which have now reached their Finish-of-Life (EOL) standing.
Buffer Overflow Flaws Allow Distant Code Execution
4 of the six vulnerabilities are categorised as essential stack-based buffer overflow assaults with CVSS scores of 9.8, representing the best severity stage.
These flaws embody CVE-2025-5622 affecting the wirelessApcli_5g perform in /goform/wirelessApcli_5g, the place manipulation of parameters apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g results in reminiscence corruption.
CVE-2025-5623 and CVE-2025-5624 each goal the qosClassifier perform in /goform/qosClassifier, exploiting the dip_address and sip_address arguments to set off stack-based buffer overflows.
A essential vulnerability, CVE-2025-5630, impacts the /goform/form2lansetup.cgi file by means of manipulation of the IP parameter.
These vulnerabilities fall underneath CWE-121 (Stack-based Buffer Overflow) and CWE-119 (Reminiscence Corruption) classes, enabling attackers to overwrite reminiscence segments and doubtlessly execute malicious code with administrative privileges.
Command Injection Vulnerabilities
Two further high-severity vulnerabilities contain OS command injection assaults. CVE-2025-5620 targets the setipsec_config perform in /goform/setipsec_config, the place attackers can manipulate localIP and remoteIP parameters to inject arbitrary system instructions.
Equally, CVE-2025-5621 exploits the identical qosClassifier perform by means of dip_address and sip_address parameters.
These command injection flaws, categorized underneath CWE-78 (OS Command Injection) and CWE-77 (Command Injection), carry CVSS scores of seven.3 and allow attackers to execute unauthorized working system instructions remotely.
CVEsDescriptionCVSS 3.1 ScoreCVE-2025-5622Stack-based buffer overflow9.8 (Vital)CVE-2025-5623Stack-based buffer overflow9.8 (Vital)CVE-2025-5624Stack-based buffer overflow9.8 (Vital)CVE-2025-5630Stack-based buffer overflow 9.8 (Vital)CVE-2025-5620OS command injection7.3 (Excessive)CVE-2025-5621OS command injection 7.3 (Excessive)
Quick Retirement Really useful
The vulnerabilities had been initially disclosed by safety researcher pjqwudi by means of VULdb Disclosure, highlighting the essential nature of those community infrastructure safety flaws.
D-Hyperlink has formally designated all DIR-816 fashions as Finish-of-Service (EOS), which means no firmware updates or safety patches will likely be launched.
The corporate strongly recommends instant retirement of those units, warning that continued use poses vital safety dangers to linked networks.
Customers are suggested to transition to current-generation merchandise with lively firmware improvement, carry out complete information backups, and phone D-Hyperlink regional places of work for alternative suggestions.
Examine dwell malware habits, hint each step of an assault, and make quicker, smarter safety selections -> Attempt ANY.RUN now
