Introduction
A publicly available exploit for a buffer overflow in the D-Link DIR-825M router's VPN configuration handler gives remote attackers a straightforward path to arbitrary code execution on affected devices. With a CVSS 3.1 score of 8.8 and no vendor patch currently available, this vulnerability represents a concrete risk for any network still running the DIR-825M, particularly given the well established pattern of Mirai botnet variants incorporating D-Link router exploits into their arsenals.
Technical Information
The vulnerability resides in the web management interface of the D-Link DIR-825M running firmware version 1.1.12. Specifically, the function sub_4151FC handles HTTP POST requests sent to the /boafrm/formVpnConfigSetup endpoint. When this function processes the submit-url parameter from an incoming request, it copies the value into a fixed size stack buffer using strcpy, which performs no bounds checking on the input length.
This is a textbook stack based buffer overflow. An attacker who supplies an oversized value for the submit-url parameter will overwrite adjacent stack memory, including the saved return address. By carefully constructing the overflow payload, the attacker can redirect program execution to shellcode of their choosing, achieving arbitrary code execution on the device.
The NVD classifies this under two CWE categories:
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input
Attack Flow
- The attacker identifies a D-Link DIR-825M device with firmware version 1.1.12 exposed on the network.
- The attacker crafts an HTTP POST request targeting the
/boafrm/formVpnConfigSetupendpoint. - The request includes an excessively long string in the
submit-urlparameter, designed to overflow the fixed size stack buffer insub_4151FC. - The
strcpycall copies the oversized input without bounds checking, overwriting the return address on the stack. - When the function returns, execution jumps to the attacker controlled address, enabling arbitrary code execution.
Severity Metrics
| Metric System | Base Score | Key Details |
|---|---|---|
| CVSS 3.1 | 8.8 High | Network vector, low complexity, low privileges required, no user interaction, high impact across confidentiality, integrity, and availability |
| CVSS 4.0 | 7.4 High | Includes E:P (Exploit Public) temporal modifier |
| CVSS 2.0 | 9.0 High | Complete compromise under legacy scoring |
Authentication Ambiguity
There is a discrepancy worth noting. The NVD CVSS vectors specify low privileges (PR:L) or single authentication (Au:S) as prerequisites. However, the security researcher who published the exploit states the vulnerability can be triggered without authentication. The published exploit code does include a webuicookie header, suggesting some session state may be involved. Defenders should operate under the assumption that minimal or no authentication is required.
Affected Systems and Versions
- Product: D-Link DIR-825M
- Hardware Revision: Ax (Non US)
- Firmware Version: 1.1.12 (and firmware versions 1.xx or earlier per D-Link advisory SAP10477)
- Vulnerable Endpoint:
/boafrm/formVpnConfigSetup - Vulnerable Function:
sub_4151FC
Any D-Link DIR-825M device running the affected firmware with the web management interface accessible over the network is potentially exploitable.
Vendor Security History
D-Link has a lengthy track record of security incidents that provides important context for assessing the risk posture of their products.
| Year | Incident |
|---|---|
| 2013 | Firmware for the DIR-100 revA contained a backdoor bypassing authentication via a specific user agent string |
| 2015 | ZynOS firmware in some D-Link routers was vulnerable to DNS hijacking by unauthenticated remote attackers |
| 2017 | The FTC sued D-Link for failing to secure routers and IP cameras; settled in 2019 with mandatory security program enhancements |
| 2023 | D-Link confirmed a data breach after an employee fell victim to a phishing attack |
The DIR-825 product family specifically has a pattern of stack based buffer overflows:
| CVE | Date | Component |
|---|---|---|
| CVE-2025-6291 | June 2025 | HTTP POST Request do_file |
| CVE-2025-7206 | July 2025 | httpd switch_language.cgi |
| CVE-2025-8949 | August 2025 | httpd ping_response.cgi |
| CVE-2025-10666 | September 2025 | apply.cgi sub_4106d4 |
This recurring pattern of memory safety issues in the web management interface suggests systemic weaknesses in the DIR-825 firmware codebase that have not been addressed at an architectural level.
References
- NVD Entry for CVE-2026-7288
- CVE Record: CVE-2026-7288
- GitHub Issue: D-Link DIR-825M Buffer Overflow PoC
- VulDB Entry: CVE-2026-7288
- VulDB CTI: CVE-2026-7288
- D-Link Security Advisory SAP10477
- D-Link Security Advisory SAP10341 (DIR-825 Historical Vulnerabilities)
- HKCERT: Mirai Botnet Targets End of Life D-Link Routers
- SecurityWeek: Mirai Botnet Targets Flaw in Discontinued D-Link Routers
- D-Link Official Website
