D-Link DIR-816 Router Alert: 6 Critical Flaws (CVSS 9.8) Allow Remote Code Execution, NO PATCHES

In a recent security advisory, D-Link confirmed the discovery of multiple critical vulnerabilities in its now End-of-Life (EOL) DIR-816 wireless routers. These flaws affect all hardware revisions and all firmware versions of the product, which officially reached EOL on November 10, 2023. Tracked under six separate CVEs, the issues include stack-based buffer overflows and OS command injection vulnerabilities that could allow remote attackers to execute arbitrary code.

“Products that have reached EOL/EOS status may no longer receive technical support or firmware updates,” D-Link warns.

The firs vulnerability, tracked as CVE-2025-5622, exists in the /goform/wirelessApcli_5g function of firmware version 1.10CNB05, where improper handling of the apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g parameters can lead to a stack-based buffer overflow. This flaw, tracked as CVE-2025-5622, carries a CVSS score of 9.8, indicating critical severity.

Another vulnerability, CVE-2025-5623, targets the /goform/qosClassifier function. Manipulating the dip_address or sip_address parameters in this endpoint can result in a stack-based buffer overflow, allowing attackers to crash or hijack the system. Like the previous flaw, it scores 9.8 on the CVSS scale, reflecting its critical nature.

The vulnerability identified as CVE-2025-5624 is functionally similar to CVE-2025-5623 but appears to be triggered through a different internal logic path of the QoSPortSetup routine. It too affects /goform/qosClassifier and relies on manipulating the same arguments (dip_address, sip_address) to achieve a buffer overflow. With a CVSS score of 9.8, it remains highly exploitable.

CVE-2025-5630 impacts the LAN configuration interface via the /goform/form2lansetup.cgi endpoint. Here, improper validation of the IP argument can lead to a stack-based buffer overflow, which could be exploited for code execution or denial of service attacks. This vulnerability also carries a CVSS score of 9.8, underscoring the router’s extensive exposure.

Moving beyond buffer overflows, CVE-2025-5620 represents a command injection vulnerability. It resides in the /goform/setipsec_config function, where unsanitized input in the localIP and remoteIP parameters enables attackers to inject and execute arbitrary system commands. With a CVSS score of 7.3, this vulnerability is particularly dangerous in scenarios where remote access is possible.

Lastly, CVE-2025-5621 targets the same /goform/qosClassifier function as previous flaws but exploits it for OS command injection instead of buffer overflow. Attackers can abuse the dip_address and sip_address parameters to run unauthorized shell commands on the device. This flaw also scores 7.3 CVSS, making it a high-risk issue, especially in exposed or misconfigured networks.

D-Link’s advisory reiterates that EOL products like the DIR-816 no longer receive patches or technical support, making these vulnerabilities permanent and exploitable indefinitely.

Organizations and home users still relying on this model are strongly advised to retire and replace the DIR-816 immediately.

Related Posts:

• D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Node.js to Issue CVE for End-of-Life Versions
• Node.js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
• Linux Kernel Vulnerability Exposes Local Systems to Privilege Escalation, PoC Published