D-Link has confirmed that its non-U.S. DIR-816 Wi-Fi routers, across all hardware revisions and firmware versions, contain six newly disclosed critical vulnerabilities that allow unauthenticated attackers on the network to run arbitrary code and take full control of the device.
Because the entire product line reached End-of-Life (EOL) in November 2023, no security patches will be issued; users are therefore urged to retire the hardware immediately.
Four of the six issues—CVE-2025-5622, CVE-2025-5623, CVE-2025-5624 and CVE-2025-5630—stem from stack-based buffer overflow conditions in CGI handlers that process configuration input.
The vulnerable functions (wirelessApcli_5g, qosClassifier, QoSPortSetup, and form2lansetup.cgi) fail to validate key parameters such as SSID mode, QoS address fields and LAN IP data.
An attacker can send an oversized HTTP POST request to any of these endpoints, overwrite the stack and hijack the program counter, ultimately executing shellcode with root privileges.
Each overflow carries a CVSS v3.1 base score of 9.8 (Critical), and an even higher legacy v2.0 score of 10.0, indicating trivial exploitation over the local network or, if the management interface is exposed, from the public Internet.
Because the router’s web server runs as root, no further privilege escalation is necessary once code execution is achieved. Successful compromise enables permanent malware installation, traffic interception, or pivoting to internal hosts.
Vulnerabilities in D-Link Routers
The remaining two vulnerabilities —CVE-2025-5620 and CVE-2025-5621—are OS command–injection vulnerabilities in /goform/setipsec_config and /goform/qosClassifier respectively.
By crafting the localIP, remoteIP, dip_address, or sip_address parameters to include shell metacharacters, attackers can append arbitrary commands that the router executes in the context of its BusyBox environment.
Although their CVSS v3.1 scores (7.3, High) are slightly lower than the overflow bugs, the injection vulnerabilities are easier to script and can be chained with misconfigurations such as default passwords, greatly expanding the attack surface.
An adversary who gains code execution can download malicious firmware, establish reverse shells, modify DNS settings to conduct phishing attacks, or disable the router entirely.
End-of-Service
D-Link formally noted all firmware development and technical support for the DIR-816 platform in late 2023, classifying the series as both End-of-Support (EOS) and End-of-Life.
The vendor’s advisory states that “any further use of this product may be a risk to devices connected to it” and explicitly recommends that customers “retire and replace” the hardware.
For users who cannot immediately replace the router, D-Link suggests upgrading to the final available firmware, disabling remote administration, using unique strong passwords, and enabling WPA2/WPA3 encryption.
These measures, however, do not neutralize the underlying vulnerabilities because exploitation requires only network access and does not depend on authentication or wireless encryption strength.
Enterprises that still rely on the DIR-816 for guest networks or IoT segregation should expedite migration plans and perform rigorous outbound traffic monitoring to detect compromise attempts.
Security teams are further advised to block access to the vulnerable CGI paths with intrusion-prevention rules, segment legacy devices on isolated VLANs and audit DNS logs for suspicious resolution patterns originating from the router IP.
Given the critical severity scores, public exploit code is expected to emerge quickly, raising the likelihood of large-scale botnet recruitment and man-in-the-middle attacks.
With no vendor patches forthcoming, the only definitive remediation is hardware replacement with a current-generation router that enjoys active vulnerability response and long-term firmware support.
Administrators should document the decommissioning process, securely wipe configuration data, and recycle the units in accordance with local e-waste regulations.
Failure to act promptly leaves every connected endpoint—from laptops to smart-home devices—exposed to remote takeover, data theft and service disruption via a single, obsolete networking appliance.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
