How to fix CVE-2025-50646?

Within 24 hours: Identify and inventory all D-Link DI-8003 devices running firmware 16.07.26A1 across your network. Within 7 days: Contact D-Link support to confirm firmware availability status and implement temporary network segmentation to restrict WAN access to the /qos_type_asp.asp endpoint using firewall rules. Within 30 days: Replace affected devices with patched firmware versions once available from D-Link, or substitute with alternative router models if no patch timeline is provided by the vendor.

Is D-Link affected by CVE-2025-50646?

CVE-2025-50646 is a critical unauthenticated denial-of-service vulnerability in D-Link DI-8003 routers (firmware 16.07.26A1) that allows remote attackers to crash network infrastructure without credentials.

CVE-2025-50646

EUVD-2025-209325 HIGH

2026-04-08 mitre

GHSA-h436-c99c-c8r5

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 19:31 vuln.today

EUVD ID Assigned

Apr 08, 2026 - 19:31 euvd

EUVD-2025-209325

CVE Published

Apr 08, 2026 - 00:00 nvd

HIGH 7.5

Description

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint.

Analysis

Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed input to the name parameter at /qos_type_asp.asp endpoint. Attackers can trigger service disruption without authentication or user interaction by exploiting insufficient input validation in the QoS management interface. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical Context

Classic stack-based buffer overflow (CWE-120) in web administration interface's QoS type handler. Unchecked bounds on name parameter allow memory corruption, resulting in service crash (CVSS:3.1 A:H). Network-accessible attack vector with no authentication barrier (PR:N) makes this exploitable via HTTP request manipulation against vulnerable firmware version 16.07.26A1.

Affected Products

D-Link DI-8003 router, firmware version 16.07.26A1. Vendor: D-Link Corporation. CPE metadata incomplete in authoritative sources.

Remediation

No vendor-released patch identified at time of analysis. Consult D-Link security bulletin at https://www.dlink.com/en/security-bulletin/ for firmware update availability and device lifecycle status. If D-Link has discontinued support for DI-8003, immediately isolate affected devices from untrusted networks by restricting administrative interface access to trusted IP ranges via firewall rules or disabling remote management entirely. Deploy network segmentation to limit blast radius. Consider hardware replacement with currently-supported models if vendor confirms end-of-life status. Monitor D-Link advisories and NVD entry https://nvd.nist.gov/vuln/detail/CVE-2025-50646 for patched firmware releases.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-50646 vulnerability details – vuln.today

Back

CVE-2025-50646

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-50646

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code