EUVD-2025-16950
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been declared as critical. This vulnerability affects the function QoSPortSetup of the file /goform/QoSPortSetup. The manipulation of the argument port0_group/port0_remarker/ssid0_group/ssid0_remarker leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Analysis
Critical stack-based buffer overflow vulnerability in D-Link DIR-816 firmware version 1.10CNB05 affecting the QoSPortSetup function. An unauthenticated remote attacker can exploit this vulnerability by manipulating port0_group, port0_remarker, ssid0_group, or ssid0_remarker parameters to achieve arbitrary code execution, complete system compromise (confidentiality, integrity, availability), and full device takeover. Public exploit code has been disclosed, increasing real-world exploitation risk significantly.
Technical Context
The vulnerability exists in the /goform/QoSPortSetup endpoint of D-Link DIR-816 wireless router firmware, specifically in the QoS (Quality of Service) configuration handler. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic stack-based buffer overflow. The vulnerable function fails to properly validate the length of user-supplied input parameters (port0_group, port0_remarker, ssid0_group, ssid0_remarker) before copying them into fixed-size stack buffers. This allows attackers to write beyond allocated buffer boundaries, corrupting the stack frame and overwriting return addresses or other critical data structures. The attack surface is the HTTP form handler endpoint, accessible via the router's web administrative interface. Affected hardware: D-Link DIR-816 router running firmware version 1.10CNB05 (CPE would be: cpe:2.3:o:d-link:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*).
Affected Products
DIR-816 (['1.10CNB05'])
Remediation
No vendor patches are available since this product is end-of-life and no longer supported by D-Link. Remediation options are limited: (1) HARDWARE REPLACEMENT: Organizations still deploying DIR-816 units should immediately plan replacement with current, supported router models from D-Link or alternative vendors; (2) NETWORK ISOLATION: If replacement is not immediately feasible, isolate affected routers from untrusted networks and implement network segmentation to limit exposure; (3) ACCESS RESTRICTION: Disable remote web-based administration (ensure WAN access to HTTP/HTTPS administrative interfaces is blocked); restrict administrative access to trusted internal networks only; (4) FIREWALL RULES: Implement strict firewall policies blocking external access to port 80/443 on affected devices; (5) MONITORING: Enable logging on affected devices and monitor for suspicious QoS configuration requests to /goform/QoSPortSetup endpoint; (6) FIRMWARE CHECK: Verify no other DIR-816 units in inventory are still running 1.10CNB05; if other versions exist, assess if they contain similar vulnerabilities; (7) INCIDENT RESPONSE: Organizations that have deployed DIR-816 units should assume breach risk and audit for signs of compromise (unusual traffic patterns, unauthorized configuration changes, potential command injection artifacts). No upstream patch is forthcoming from D-Link.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today