CVE-2026-7288:
CVE-2026-7288 is a remotely exploitable buffer overflow vulnerability in D-Link DIR-825M firmware version 1.1.12, affecting the `sub_4151FC` function within the `/boafrm/formVpnConfigSetup` endpoint via manipulation of the `submit-url` argument.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Apr 28, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-7288 is a remotely exploitable buffer overflow vulnerability in D-Link DIR-825M firmware version 1.1.12, affecting the `sub_4151FC` function within the `/boafrm/formVpnConfigSetup` endpoint via manipulation of the `submit-url` argument.
Overview
CVE-2026-7288 affects D-Link DIR-825M routers running firmware version 1.1.12 and involves a classic stack or heap-based buffer overflow triggered through the VPN configuration setup form. The vulnerable function `sub_4151FC` fails to properly validate the length of the `submit-url` argument before copying it into a fixed-size buffer, violating safe memory handling practices (CWE-119, CWE-120). An authenticated remote attacker can exploit this vulnerability over the network with low complexity, as no user interaction is required. The CVSS v3.1 base score is 8.8 (HIGH), reflecting the significant potential for complete compromise of the device's confidentiality, integrity, and availability. A proof-of-concept has been publicly released, making timely remediation critical for affected deployments.
Remediation
- As of the time of publication, no official patch has been confirmed from D-Link for this specific vulnerability. Users and administrators are advised to take the following steps to reduce exposure: monitor the D-Link official website (https://www.dlink.com/) for firmware updates addressing this issue and apply them promptly upon availability; restrict access to the router's administrative interface by disabling remote management and limiting access to trusted internal networks only; place the affected device behind a firewall to limit network exposure; consider replacing end-of-life or unsupported D-Link devices with supported hardware that receives active security patches; and review VPN configuration interfaces for any signs of unauthorized access or unexpected changes.
References
- - [CVE-2026-7288 - VulDB Entry](https://vuldb.com/vuln/359946)
- - [VulDB CTI Information for CVE-2026-7288](https://vuldb.com/vuln/359946/cti)
- - [VulDB Submission 803024](https://vuldb.com/submit/803024)
- - [Public Proof-of-Concept - GitHub (Kiciot/cve Issue #2)](https://github.com/Kiciot/cve/issues/2)
- - [D-Link Official Website](https://www.dlink.com/)
- - [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html)
- - [CWE-120: Buffer Copy without Checking Size of Input](https://cwe.mitre.org/data/definitions/120.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
