A important stack-based buffer overflow within the D-Hyperlink DIR-825 Rev.B 2.10 router firmware permits unauthenticated, zero-click distant attackers to crash the gadget’s HTTP server.
Tracked as CVE-2025-7206, the flaw resides within the router’s httpd binary and stems from improper dealing with of the language parameter within the switch_language.cgi endpoint.
Exploitation requires no legitimate credentials or person interplay, which means an adversary solely wants community entry to the goal gadget’s administration interface to set off a denial-of-service situation.
Key Takeaways1. Unauthenticated stack overflow in DIR-825 Rev.B 2.10 crashes the HTTP server.2. Outsized language parameter in switch_language.cgi saved in NVRAM triggers the overflow.3. Zero-click DoS disrupts VPNs, visitor Wi-Fi, and IoT gadget administration.4. Apply firmware patch, restrict web-UI entry, and flag unusually lengthy language posts.
D-Hyperlink 0-Click on Vulnerability (CVE-2025-7206)
In response to the safety researcher iC0rner, the flaw lies within the sub_410DDC perform inside the httpd executable, which straight accepts attacker-controlled enter with out size checks.
Particularly, when an HTTP POST is made to switch_language.cgi, the language parameter is written into NVRAM for persistent storage.
This happens earlier than any sanitization, which means a maliciously lengthy string can overflow the native stack body:
As soon as the overflowed NVRAM entry is saved, any subsequent request to a front-end ASP web page (e.g., login.asp) triggers dynamic loading of a corresponding language JavaScript file. The web page contains:
Upon parsing, httpd enters the do_ebd_js path, finally calling nvram_get(“language”).
The returned string is handed by a convoluted collection of inside capabilities—sub_40bFC4—the place one other unsafe concatenation writes past the meant buffer, in the end inflicting a segmentation fault and crashing the service.
Threat FactorsDetailsAffected ProductsD-Hyperlink DIR-825 Rev.B 2.10ImpactStack-based buffer overflowExploit PrerequisitesNetwork entry to router’s net administration interface (sometimes port 80/443); no authentication requiredCVSS 3.1 Score9.8 (Essential)
Proof-of-Idea Exploit
A minimal proof-of-concept (PoC) demonstrates the crash in two steps. First, set the outsized language worth through switch_language.cgi:
Instantly following, a easy GET of any ASP web page triggers the overflow:
The overly lengthy NVRAM entry corrupts the stack throughout sub_40bFC4, resulting in an instantaneous crash of the httpd course of with none authentication or specific person motion.
Mitigations
Organizations counting on the DIR-825 Rev.B 2.10 for VPN termination, visitor networks, or IoT segmentation ought to think about the next mitigations:
Apply Firmware Replace: D-Hyperlink should launch a patched firmware model that enforces strict enter validation on the language parameter and ensures correct bounds checking in sub_40bFC4.
Community Entry Controls: Block entry to the router’s net administration interface from untrusted networks or the web at giant.
Intrusion Detection: Monitor for anomalous HTTP POST requests to switch_language.cgi containing abnormally lengthy language values and flag or block these on the perimeter firewall.
By implementing these measures, directors can guard towards CVE-2025-7206 and restore confidence of their community edge safety.
Examine stay malware conduct, hint each step of an assault, and make sooner, smarter safety choices -> Strive ANY.RUN now
