CVE-2026-5980: D-Link DIR-605L Buffer Overflow Flaw

CVE-2026-5980 Overview

CVE-2026-5980 is a buffer overflow vulnerability in the D-Link DIR-605L router running firmware version 2.13B01. The flaw resides in the formSetMACFilter function within /goform/formSetMACFilter, part of the device's POST request handler. Attackers can trigger memory corruption by manipulating the curTime argument in crafted POST requests. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against exposed devices. This vulnerability affects only products that have reached end-of-life and are no longer supported by D-Link, meaning no official patch will be issued. Remote exploitation is feasible over the network, making exposed administrative interfaces a primary attack surface.

Critical Impact

Remote attackers with low-level privileges can corrupt router memory through the curTime parameter, potentially leading to arbitrary code execution or device compromise on unsupported D-Link DIR-605L hardware.

Affected Products

• D-Link DIR-605L (hardware, end-of-life)
• D-Link DIR-605L Firmware version 2.13B01
• All deployments exposing /goform/formSetMACFilter to untrusted networks

Discovery Timeline

• 2026-04-09 - CVE-2026-5980 published to NVD
• 2026-04-30 - Last updated in NVD database

Technical Details for CVE-2026-5980

Vulnerability Analysis

The vulnerability is classified as a buffer overflow [CWE-119], improper restriction of operations within the bounds of a memory buffer. The flaw exists in the formSetMACFilter handler exposed through the router's web administration interface at /goform/formSetMACFilter. When the handler processes an HTTP POST request, it copies the curTime parameter into a fixed-size stack or heap buffer without enforcing length validation. An attacker submitting an oversized curTime value overruns the destination buffer, corrupting adjacent memory regions. Successful exploitation can crash the device or, with careful payload construction, redirect execution to attacker-controlled code. The EPSS score is 0.039% with a percentile of 11.964, indicating low predicted exploitation activity at this time, though public disclosure of the exploit raises practical risk.

Root Cause

The root cause is missing bounds checking in the formSetMACFilter function. The handler trusts the length of user-supplied input from the curTime POST parameter and performs an unchecked copy into a fixed-size buffer. Embedded web servers on legacy SOHO routers commonly use unsafe C string functions such as strcpy or sprintf without length-limited variants, which is consistent with the behavior described in the public advisory.

Attack Vector

Exploitation requires network access to the router's HTTP management interface and a low-privileged authenticated session. An attacker sends a crafted POST request to /goform/formSetMACFilter with an oversized curTime argument. Devices exposing the management interface to the WAN or to untrusted LAN segments are most at risk. Because D-Link no longer maintains the DIR-605L, no vendor fix will address the underlying flaw.

The vulnerability manifests in the formSetMACFilter POST handler when processing the curTime argument. See the Notion Documentation for D-Link and VulDB Vulnerability Details #356534 for additional technical analysis.

Detection Methods for CVE-2026-5980

Indicators of Compromise

• HTTP POST requests to /goform/formSetMACFilter containing unusually long curTime parameter values
• Unexpected reboots, watchdog resets, or HTTP service crashes on DIR-605L devices
• Anomalous outbound connections from the router to unfamiliar IP addresses, indicating possible post-exploitation activity

Detection Strategies

• Inspect network traffic for POST requests targeting /goform/formSetMACFilter and flag entries where the curTime field exceeds expected length (timestamp-sized values)
• Deploy intrusion detection signatures that match oversized parameters in DIR-605L management URIs
• Correlate router HTTP access logs with firmware crash events to identify exploitation attempts

Monitoring Recommendations

• Continuously monitor management plane traffic to legacy network appliances and alert on administrative POST requests from non-administrative subnets
• Track DNS and traffic patterns from router IP addresses to identify command-and-control activity following potential compromise
• Maintain an asset inventory flag for end-of-life network devices and prioritize alerts originating from those assets

How to Mitigate CVE-2026-5980

Immediate Actions Required

• Replace affected DIR-605L devices with currently supported router models, as the product is end-of-life and will not receive a patch
• Disable WAN-side access to the web management interface immediately
• Restrict LAN-side administrative access to a dedicated management VLAN or trusted hosts
• Rotate router administrative credentials and audit existing user accounts on the device

Patch Information

No patch is available. D-Link has classified the DIR-605L as end-of-life, and the vendor confirms that unsupported products will not receive security fixes. Decommissioning the affected hardware is the only durable remediation. See the D-Link Official Website for end-of-life policy details.

Workarounds

• Place the router behind an upstream firewall that filters inbound HTTP/HTTPS traffic to the device's management interface
• Block external access to /goform/formSetMACFilter using network ACLs where the device permits such configuration
• Segment the affected router onto an isolated network segment and limit which clients can reach its administrative interface
• Monitor the device for anomalous behavior until replacement hardware is deployed

# Example firewall rule (Linux iptables) to block WAN access to router management
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -i <wan_interface> -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -i <wan_interface> -j DROP

# Restrict LAN management access to a trusted admin host
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 ! -s <admin_host_ip> -j DROP