CVE-2025-28395 – A buffer overflow vulnerability exists in D-LIN... (How to Fix)

Q: What is the severity of CVE-2025-28395?

CVE-2025-28395 has a CVSS score of 7.1 (HIGH). A buffer overflow vulnerability exists in D-LINK DI-8100 routers in the ipsec_road_asp function via the host_ip parameter. This allows attackers to potentially execute arbitrary code or crash the device. Organizations using affected D-LINK DI-8100 routers with vulnerable firmware are at risk.

📋 TL;DR

A buffer overflow vulnerability exists in D-LINK DI-8100 routers in the ipsec_road_asp function via the host_ip parameter. This allows attackers to potentially execute arbitrary code or crash the device. Organizations using affected D-LINK DI-8100 routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:

D-LINK DI-8100

Versions: 16.07.26A1

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the IPSec configuration interface. Requires access to the vulnerable function, typically via web interface or management services.

📦 What is this software?

Di 8100 Firmware by Dlink

View all CVEs affecting Di 8100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Denial of service causing router crashes and network disruption, with potential for limited code execution in constrained environments.

🟢

If Mitigated

Denial of service only, with no code execution due to modern exploit mitigations or network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending specially crafted requests to the vulnerable function. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check D-LINK security advisories for patch availability. 2. Download latest firmware from official D-LINK support site. 3. Backup current configuration. 4. Upload new firmware via web interface. 5. Restart router. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Disable IPSec Road Warrior functionality

all

Remove or disable the vulnerable IPSec Road Warrior feature if not required.

Restrict management access

all

Limit access to router management interface to trusted IP addresses only.

🧯 If You Can't Patch

Segment affected routers in isolated network zones with strict firewall rules
Implement network monitoring for abnormal traffic patterns to vulnerable services

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System Status > Firmware Version. If version is 16.07.26A1, device is vulnerable.

Check Version:

Check via web interface or SSH: show version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 16.07.26A1.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to ipsec_road_asp endpoint
Router crash/reboot logs
Large or malformed host_ip parameter values

Network Indicators:

Abnormal traffic patterns to router management interface
Exploit attempt signatures in IPSec-related traffic

SIEM Query:

source="router_logs" AND (uri="*ipsec_road_asp*" OR message="*buffer overflow*" OR message="*crash*")

📊 Metadata

CVE ID: CVE-2025-28395

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

CWE: CWE-120

EPSS Score: 0.59% exploit probability (68.8th percentile)

Published: April 1, 2025

Last Updated: April 15, 2025

🔗 References

https://github.com/Fizz-L/Vulnerability-report/blob/main/DI-8100Buffer%20overflow.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28395, you might also want to check these: