A newly disclosed vulnerability, tracked as CVE-2026-5815, has exposed serious security risks in the D-Link DIR-645 router series, affecting firmware versions 1.01, 1.02, and 1.03, and has been assigned a CVSS v2 score of 9.0 (Critical) and a CVSS v3.1 score of 8.8 (High).
The flaw resides within a core CGI component of the router’s web management interface and enables remote attackers to execute arbitrary code on vulnerable devices. The exploit code is already publicly available, dramatically raising the risk profile for any organization or individual still running these legacy devices.
What Is the Vulnerability?
The vulnerability exists in the hedwigcgi_main function within the /cgi-bin/hedwig.cgi file a component responsible for handling HTTP cookie-based requests in the router’s web interface.
When an attacker sends a specially crafted HTTP request with an oversized Cookie When a header value is provided, the function fails to properly validate or restrict the input before writing it to a fixed-size stack buffer.
This classic stack-based buffer overflow, classified under CWE-121 and the broader CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), allows an attacker to overwrite adjacent memory on the stack, including saved return addresses.
By controlling the return address, a remote attacker with low-level credentials can redirect execution flow to attacker-controlled shellcode, effectively achieving remote code execution (RCE) on the affected device.
The CVSS v3.1 vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms that this attack requires no user interaction, is low-complexity, and uses only low-privilege authentication, making it dangerously accessible to a broad range of threat actors.
Technical Breakdown
The hedwig.cgi Binary on D-Link DIR-645 routers processes HTTP POST requests intended for device configuration tasks. The vulnerable hedwigcgi_main function reads the Cookie HTTP header and passes its contents into a locally allocated stack buffer without performing boundary checks.
When input exceeds the allocated buffer size, it spills over into adjacent stack memory, corrupting the saved instruction pointer.
A proof-of-concept (PoC) exploit has been published on GitHub by researcher Pers1st0 and is accessible at the repository Pers1st0/CVE. The PoC demonstrates full exploitation using a maliciously crafted HTTP request, requiring only network access and a low-privileged account on the device.
CVSS Scoring Summary
Multiple CVSS scoring frameworks have been applied to this vulnerability, all converging on a High to Critical severity rating:
- CVSS v2: 9.0 – Network-accessible, low complexity, authenticated, with complete impact on confidentiality, integrity, and availability
- CVSS v3.0/3.1: 8.8 HIGH – Network vector, low complexity, low privileges required, no user interaction, high impact across all three security pillars
- CVSS v4.0: 8.7 HIGH – Reflecting updated scoring methodology with no attack requirements and high impacts on vulnerable system components
The CVSS v2 impact score of 10.0 indicates that a successful exploit grants complete control over the device, including full read/write access to the file system, configuration data, and network traffic routing capabilities.
Affected Products and End-of-Life Status
The D-Link DIR-645 is a consumer-grade wireless router that was popular in home and small office environments. D-Link has confirmed that the DIR-645 is an end-of-life (EoL) product and will not receive a security patch for CVE-2026-5815.
This is a critical point; the maintainer has no obligation or plan to remediate this flaw, leaving all users of firmware versions 1.01 through 1.03 permanently exposed unless they take proactive action.
This situation mirrors a well-known challenge in the IoT and SOHO router security landscape, where legacy hardware remains in active deployment long after vendor support ends. Many users are unaware that their devices are EoL, and the lack of automatic firmware updates on older routers significantly compounds the risk.
Recommended Mitigations
Since no official patch exists, users and administrators should take the following steps immediately:
- Replace the device with a currently supported router model that receives active firmware updates and security patches
- Disable remote management on the WAN interface if replacement is not immediately possible, reducing the attack surface to local network access only
- Segment the network by placing the router behind a firewall or deploying it in an isolated VLAN to limit potential lateral movement
- Monitor traffic for unusual outbound connections or configuration changes that may indicate exploitation has already occurred
- Check for compromise indicators by reviewing device logs and comparing firmware integrity against known-good checksums
The ENISA European Vulnerability Database has also indexed this vulnerability under EUVD-2026-20809, underscoring its international relevance and the broader
FAQ
Q1: What is CVE-2026-5815?
CVE-2026-5815 is a stack-based buffer overflow vulnerability in the hedwigcgi_main function of the /cgi-bin/hedwig.cgi file on D-Link DIR-645 routers (firmware 1.01–1.03) that allows remote attackers to execute arbitrary code with a CVSS score of 8.8 (High).
Q2: Is a patch available for CVE-2026-5815?
No patch is available because the D-Link DIR-645 is an end-of-life product that the manufacturer no longer supports, so affected users must replace it with a currently supported router model.
Q3: How can an attacker exploit this vulnerability?
An attacker with low-level credentials can send a specially crafted HTTP request containing an oversized Cookie header to overflow the stack buffer, overwrite the saved return address, and redirect execution to attacker-controlled shellcode. A working proof-of-concept exploit is already publicly available on GitHub.
Q4: What should D-Link DIR-645 users do immediately?
Users should immediately replace the DIR-645 with a supported router and, as a temporary measure, turn off WAN-side remote management, isolate the device on a segmented network, and monitor traffic for any signs of compromise or unauthorized configuration changes.
Site: thecybrdef.com
Reference:
About the Author
