D-Link Router Exploitation
Potential Affected Sectors
· Small office/home office (SOHO)
Potential Affected Countries
· Global
BLUF
Threat actors are exploiting a buffer overflow vulnerability in End-of-Life (EoL) D-Link routers, which could lead to a complete compromise of the device (confidentiality, integrity, and availability).
Date of First Reported Activity
· Activity details are integrated with the KEV listing date of December 8, 2025.
Date of Last Reported Activity Update
· December 8, 2025
CVE-2022-37055
D-Link Routers Buffer Overflow Vulnerability.
CVSS v3.1
· (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nessus ID
· Not applicable
Is this on the KEV list
· Yes, as of December 8, 2025.
Mitigation by Date on KEV list
· December 29, 2025
Mitigation Data
· Action discontinue use of the product if mitigations are unavailable or apply mitigations per vendor instructions.
If discontinuation of this product is not possible
· Restrict Access: Limit access to the device's web management interface (cgibin and hnap_main components) to only trusted internal IP addresses. This means disabling remote management features from the WAN (Wide Area Network/Internet).
· Implement Network Segmentation: Isolate the vulnerable device from critical network segments to prevent an attacker who compromises the router from easily moving laterally within the network.
· Use Strong Security Practices:
· Ensure the latest available (though unpatched) firmware is installed.
· Use a strong, unique password for the router's administrative access and Wi-Fi encryption.
· Log traffic and monitor for signs of exploitation attempts.
· Employ Supplemental Security Controls: In enterprise environments, a Web Application Firewall (WAF) can be used as an additional layer of defense to inspect and block malicious traffic targeting the vulnerable web interface.
APT Names
· No specific APT or criminal organization named in the provided snippets.
IOCs
Network-Based IOCs
Unusual Traffic Patterns: Monitor for a sudden spike in outbound network traffic or unexpected data transfers, which might indicate data exfiltration or the device becoming part of a botnet.
Suspicious HTTP POST Requests: The vulnerability is triggered by specially crafted POST requests sent to specific components of the web interface. Monitoring network logs for abnormal requests to the following paths can be an indicator of exploitation:
· /cgibin
· /hnap_main
Connections to Malicious IPs/Domains: The compromised device may attempt to connect to known malicious IP addresses or command-and-control (C2) servers to download and execute further malicious code (e.g., botnet binaries like Mirai variants).
Unexpected Service Activity: The exploit could enable unauthorized services, such as Telnet. Monitor the router for unexpected open ports or the activation of services that were previously disabled.
Host-Based (Device) IOCs
Unexpected Processes: Look for unusual or unknown processes running on the router's operating system, potentially indicative of remote code execution. This typically requires advanced monitoring capabilities not available on a standard consumer device.
System File Modifications: Unauthorized changes to system files or configuration settings (e.g., DNS settings, firewall rules) could indicate compromise.
Actionable Steps for Detection
Organizations can use a Web Application Firewall (WAF) to inspect and block traffic with patterns associated with buffer overflow exploits targeting the cgibin and hnap_main functions.
Delivery Method
· Remote exploitation via network access to the vulnerable device.
Email Samples: Not applicable/available.
References
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2022-37055
CISA KEV List
· hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog
CISA Alert
· https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
D-link
· hxxps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308
