CVE-2022-41140: Unauthenticated RCE bug affects multiple D-Link routers

A critical buffer overflow & remote code execution (RCE) vulnerability affected several D-Link routers that were unpatched.

Tracked as CVE-2022-41140 and featuring a CVSS score of 8.8, the vulnerability was found in DIR-867, DIR-878, and DIR-882-US routers, all of which are supported, but only the DIR-878 model received a patch.

The issue can be triggered without authentication by sending specially crafted input to the lighttpd service, to trigger a command injection. The lighttpd service listens on TCP port 80 by default. An attacker able to trigger the vulnerability could achieve full system compromise.

“A stack-based buffer overflow in the prog.cgi binary in D-Link DIR-867. A crafted HTTP request can cause the program to use `strcat()` to create a overly long string on a 512-byte stack buffer,read the advisory.

The CVE-2022-41140 results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

Discovered by an anonymous researcher working with Trend Micro Zero Day Initiative, the security flaw was reported to D-Link in February. D-Link has already confirmed the existence of this vulnerability and the fact that the first Beta Hotfix patch for the DIR-878 model was released. D-Link says that the fixed firmware for DIR-867, and DIR-882-US is developing. A firmware update will be provided as soon as it becomes available via

Affected Models

Model Hardware Revision Affected FW Fixed FW Recommendation  Last Updated
DIR-867 All Ax Hardware Revisions v1.30B07 & Below Under Development  Pending Release 03/04/2022
DIR-878 All Ax Hardware Revisions v1.30B08-Hotfix & Below v1.30b08_Beta_Hotfix Upgrade to Beta Hotfix 04/01/2022
DIR-882-US All Ax Hardware Revisions v1.30B06-Hotfix & Below Under Development Pending Release 03/04/2022

Customers of D-Link appliances are highly recommended to apply patches and upgrades released by the company to mitigate potential threats.