CVE-2025-60566 Overview
CVE-2025-60566 is a stack-based buffer overflow [CWE-121] in the D-Link DIR-600L Ax router running firmware FW116WWb01. The flaw resides in the formSetMACFilter function, where the curTime parameter is copied into a fixed-size stack buffer without proper bounds checking. An unauthenticated remote attacker can send a crafted HTTP request to trigger memory corruption on the device. Successful exploitation crashes the router's web management service, producing a denial-of-service condition that disrupts network connectivity for downstream clients.
Critical Impact
Remote, unauthenticated attackers can crash the DIR-600L web service and disrupt routing by sending an oversized curTime parameter to formSetMACFilter.
Affected Products
- D-Link DIR-600L hardware revision Ax
- D-Link DIR-600L firmware version FW116WWb01 (1.16WWb01)
- Deployments exposing the device web management interface
Discovery Timeline
- 2025-10-24 - CVE-2025-60566 published to the National Vulnerability Database
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2025-60566
Vulnerability Analysis
The DIR-600L web management interface exposes the formSetMACFilter handler, which processes MAC address filtering configuration submitted through the administrative UI. The handler reads the curTime request parameter and copies it into a fixed-size buffer on the stack. Because the routine performs no length validation, an attacker-controlled curTime value longer than the destination buffer overwrites adjacent stack memory, including saved return addresses.
This matches the classic stack-based buffer overflow pattern catalogued as [CWE-121]. On the MIPS-based DIR-600L platform, overwriting the saved return address corrupts the control flow of the httpd-equivalent service that hosts the web UI, terminating the process. The DIR-600L Ax is an end-of-life consumer router, and D-Link has not announced firmware updates for this model line.
Root Cause
The root cause is missing input length validation in formSetMACFilter before copying the curTime parameter into a stack-allocated buffer. The handler trusts the size of the user-supplied value rather than enforcing a maximum length, allowing adjacent stack data to be overwritten when the input exceeds buffer capacity.
Attack Vector
Exploitation occurs over the network against the router's HTTP management interface. The attack requires no authentication and no user interaction. An attacker submits a POST request to the MAC filter endpoint with an oversized curTime parameter. The resulting overflow corrupts stack memory and crashes the web service, producing an availability impact on device management and, in some configurations, on routing itself.
A proof-of-concept describing the parameter and request structure is published in a public GitHub PoC Repository.
Detection Methods for CVE-2025-60566
Indicators of Compromise
- HTTP POST requests to the DIR-600L management interface targeting the MAC filter handler with abnormally long curTime values.
- Unexpected restarts or crashes of the router's httpd web service, often accompanied by loss of administrative access.
- Repeated probing of the /goform/ or formSetMACFilter endpoints from external sources.
Detection Strategies
- Inspect HTTP request bodies bound for the router web UI for curTime parameter values that exceed expected length thresholds (for example, more than 64 bytes).
- Alert on HTTP 5xx responses or connection resets returned by the DIR-600L management interface immediately after a POST to formSetMACFilter.
- Correlate router uptime resets with inbound traffic to TCP port 80/443 on the device management plane.
Monitoring Recommendations
- Forward router syslog and management-plane traffic metadata to a centralized logging platform for retention and correlation.
- Monitor for management-interface reachability from untrusted networks, which should not be permitted in normal operation.
- Track availability of small office and home office (SOHO) gateways and trigger alerts on repeated reboot events.
How to Mitigate CVE-2025-60566
Immediate Actions Required
- Disable remote (WAN-side) administration on affected DIR-600L Ax devices and restrict management access to a trusted LAN segment.
- Place the router behind a network filter that blocks inbound HTTP/HTTPS to the management interface from the internet.
- Plan replacement of the DIR-600L Ax with a currently supported router model, as this device is end-of-life.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. D-Link has previously declared the DIR-600L series end-of-life, and no advisory URL is associated with CVE-2025-60566. Operators should treat this device as unpatched and prioritize replacement.
Workarounds
- Restrict access to the web management interface using firewall rules that allow only specific administrative IP addresses.
- Segment the router onto an isolated VLAN where management traffic cannot be reached by guest or untrusted clients.
- Disable the MAC filtering feature if not in use, and monitor for unauthorized configuration changes through the web UI.
# Example: block external access to the DIR-600L management interface on an upstream firewall
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
# Allow management only from a trusted admin host
iptables -I FORWARD -p tcp -s <admin_ip> -d <router_ip> --dport 80 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
