Several critical security flaws have been identified in D-Link DIR-816 router models, potentially allowing remote attackers to execute arbitrary code and gain unauthorized
access to network systems. These vulnerabilities affect all hardware versions and firmware releases of the non-U.S. DIR-816 models, which are now officially classified as End-of-Life (EOL).
Severe Buffer Overflow Vulnerabilities Allow Remote Code Execution
Four of the six identified issues are stack-based buffer overflow vulnerabilities, each rated with a CVSS score of 9.8, indicating the highest level of severity. One of these, CVE-2025-5622, involves the wirelessApcli_5g function located in /goform/wirelessApcli_5g. Exploiting parameters such as apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g can lead to memory corruption.
Two other flaws, CVE-2025-5623 and CVE-2025-5624, exploit the qosClassifier function in /goform/qosClassifier by targeting the dip_address and sip_address parameters, resulting in buffer overflows.
A separate critical issue, CVE-2025-5630, targets the /goform/form2lansetup.cgi file by manipulating the IP parameter.
These flaws fall under CWE-121 (stack-based buffer overflow) and CWE-119 (memory corruption), allowing attackers to overwrite memory and potentially run malicious code with administrative rights.
Command Injection Threats Identified
The remaining two vulnerabilities are categorized as OS command injection risks. CVE-2025-5620 affects the setipsec_config function in /goform/setipsec_config, where attackers can alter the localIP and remoteIP fields to inject unauthorized commands.
CVE-2025-5621 also targets the qosClassifier function, exploiting the dip_address and sip_address fields in a similar manner.
These command injection vulnerabilities fall under CWE-78 and CWE-77 and have been rated with a CVSS score of 7.3. They enable attackers to run operating system commands remotely without permission.
Discontinued Support and Urgent Mitigation Steps
The flaws were first disclosed by security researcher pjqwudi through VULdb Disclosure. D-Link has since confirmed that all DIR-816 models are classified as End-of-Service (EOS), meaning the company will no longer release firmware updates or security patches.
Due to the severity of the risks, D-Link advises users to retire these devices immediately. Continued use of DIR-816 routers could expose networks to serious vulnerabilities.
Users are encouraged to switch to newer models that still receive firmware updates, back up their data, and reach out to local D-Link support for help with replacements.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
