Login Sign Up

CVE-2023-25283

7.5 HIGH
Denial of Service

📋 TL;DR

A stack overflow vulnerability in D-Link DIR-820L routers allows attackers to cause denial of service by sending specially crafted requests to the lan.asp endpoint. This affects users of D-Link DIR-820L routers with vulnerable firmware versions. The vulnerability can crash the device, disrupting network services.

💻 Affected Systems

Products:
  • D-Link DIR-820L
Versions: Firmware version DIR820LA1_FW106B02 and likely earlier versions
Operating Systems: Embedded Linux on D-Link routers
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface which is typically enabled by default.

📦 What is this software?

Dir 820l Firmware by Dlink

View all CVEs affecting Dir 820l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical reboot, potentially leading to persistent denial of service if exploited repeatedly.

🟠

Likely Case

Temporary service disruption requiring router reboot, affecting all connected devices.

🟢

If Mitigated

Minimal impact if device is behind firewall with restricted web interface access.

🌐 Internet-Facing: HIGH - The web interface is typically accessible from WAN by default on many home routers.
🏢 Internal Only: MEDIUM - Attackers on the local network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists showing exploitation via HTTP POST request to lan.asp with crafted reserveDHCP_HostName_1.1.1.0 parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest patched firmware

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support website. 2. Download latest firmware for DIR-820L. 3. Log into router web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict Web Interface Access

all

Configure firewall rules to limit access to router management interface

🧯 If You Can't Patch

  • Place router behind additional firewall with strict inbound rules
  • Disable UPnP and ensure no port forwarding to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Maintenance > Firmware

Check Version:

No CLI command - check via web interface at http://router_ip/

Verify Fix Applied:

Verify firmware version matches or exceeds patched version from D-Link advisory

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to lan.asp with long reserveDHCP_HostName parameters
  • Router crash/reboot events in system logs

Network Indicators:

  • Unusual HTTP traffic to router management port (typically 80/443)
  • Multiple connection attempts to lan.asp endpoint

SIEM Query:

http.url:"*lan.asp*" AND http.method:POST AND http.param:"*reserveDHCP_HostName*"

📊 Metadata

CVE ID: CVE-2023-25283
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: March 13, 2023
Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25283, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)