CVE-2025-50665 Overview
CVE-2025-50665 is a buffer overflow vulnerability [CWE-120] in D-Link DI-8003 routers running firmware version 16.07.26A1. The flaw resides in the /web_keyword.asp endpoint, which fails to properly validate input length on multiple HTTP GET parameters. An unauthenticated remote attacker can send a crafted request containing oversized values in the name, en, time, mem_gb2312, or mem_utf8 parameters to trigger memory corruption. Successful exploitation produces a denial-of-service condition on the affected device.
Critical Impact
Unauthenticated attackers can remotely crash D-Link DI-8003 routers by sending a single malformed HTTP GET request, disrupting network availability for all connected clients.
Affected Products
- D-Link DI-8003 router (hardware)
- D-Link DI-8003 firmware version 16.07.26A1
- Deployments exposing the web management interface to untrusted networks
Discovery Timeline
- 2026-04-08 - CVE-2025-50665 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2025-50665
Vulnerability Analysis
The vulnerability stems from improper bounds checking in the request handler for the /web_keyword.asp endpoint on the DI-8003 web management interface. The handler reads HTTP GET parameters into fixed-size stack or heap buffers without validating the length of the user-supplied data. When the supplied value exceeds the destination buffer size, adjacent memory is overwritten, corrupting program state and crashing the embedded web service.
The CWE-120 classification identifies this as a classic buffer copy without checking the size of the input. Because the impacted device is a network router, loss of the web service typically coincides with a crash of the broader management or routing process, producing an availability impact on the device itself.
Root Cause
The firmware uses unsafe string-handling routines such as strcpy or sprintf against attacker-controlled parameters delivered through the query string. No length validation, allowlist filtering, or canonical encoding check is performed before the copy operation. The five affected parameters (name, en, time, mem_gb2312, and mem_utf8) are all processed by the same vulnerable code path.
Attack Vector
Exploitation requires network reachability to the device's HTTP management interface and no authentication or user interaction. An attacker submits a single HTTP GET request to /web_keyword.asp with one of the named parameters set to an oversized string. The device responds by crashing the web service or rebooting, depending on which memory region is corrupted.
The vulnerability is described in the GitHub IoT Vulnerability Collection and acknowledged in the D-Link Security Advisory SAP10505.
Detection Methods for CVE-2025-50665
Indicators of Compromise
- HTTP GET requests to /web_keyword.asp containing unusually long values in the name, en, time, mem_gb2312, or mem_utf8 parameters
- Unexpected reboots, watchdog resets, or web management service crashes on DI-8003 devices
- Loss of administrative connectivity to the router immediately following an inbound HTTP request from an external source
Detection Strategies
- Inspect web access logs and upstream proxy logs for requests targeting /web_keyword.asp with parameter values exceeding several hundred bytes
- Deploy network intrusion detection signatures that flag HTTP GET requests to the DI-8003 management URI containing oversized query string parameters
- Correlate router uptime resets with inbound HTTP traffic to identify availability impacts caused by exploitation attempts
Monitoring Recommendations
- Forward router syslog and SNMP availability data to a centralized analytics platform for alerting on repeated crashes
- Monitor for scanning activity probing the /web_keyword.asp path across the network perimeter
- Track exposure of DI-8003 management interfaces on internet-facing IP ranges using asset inventory data
How to Mitigate CVE-2025-50665
Immediate Actions Required
- Restrict access to the DI-8003 web management interface to trusted administrative networks using ACLs or firewall rules
- Disable remote (WAN-side) management on affected devices until a vendor patch is applied
- Review the D-Link Security Bulletin and D-Link Security Advisory SAP10505 for firmware update availability
Patch Information
At the time of publication, D-Link tracks this issue under advisory SAP10505. Administrators should monitor the official D-Link Security Bulletin page for an updated firmware release for the DI-8003 platform and apply it as soon as it becomes available. Devices running firmware 16.07.26A1 should be considered vulnerable until upgraded.
Workarounds
- Place the DI-8003 behind a network segment that blocks untrusted HTTP access to its management interface
- Use a reverse proxy or web application firewall to enforce maximum query-string and parameter length limits on requests to /web_keyword.asp
- If feasible, replace end-of-life DI-8003 hardware with a currently supported router model
# Example firewall rule restricting management access to a trusted subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

