CVE-2025-15194 identifies a stack-based buffer overflow vulnerability in the D-Link DIR-600 router firmware up to version 2.15WWb02. The vulnerability resides in the hedwig.cgi component, specifically within the HTTP Header Handler that processes the Cookie argument. By crafting a malicious HTTP request with a specially manipulated Cookie header, an attacker can overflow the stack buffer, potentially overwriting return addresses or control data. This can lead to arbitrary code execution on the device with the privileges of the HTTP service, which typically runs with elevated permissions. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly dangerous. The CVSS 4.0 score of 9.3 reflects the critical nature, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as attackers can take full control of the device, intercept or manipulate traffic, or disrupt network connectivity. Although the product is no longer supported and no official patches are available, public exploit code has been released, increasing the likelihood of active exploitation. The affected device is widely used in home and small office environments, but some European organizations may still rely on it in legacy or secondary network segments. The lack of vendor support complicates remediation, emphasizing the need for compensating controls or device replacement.

For European organizations, this vulnerability poses a significant risk, especially for those still operating legacy D-Link DIR-600 routers in their network infrastructure. Successful exploitation can lead to full compromise of the affected device, enabling attackers to intercept sensitive data, pivot into internal networks, disrupt connectivity, or deploy persistent malware. This can impact confidentiality by exposing internal communications, integrity by allowing manipulation of network traffic, and availability by causing denial of service or device crashes. Given the router’s role as a gateway device, compromise can have cascading effects on network security. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) face increased regulatory and operational risks. The lack of vendor patches means that organizations must rely on network segmentation, intrusion detection, and device replacement to mitigate risk. The public availability of exploit code increases the likelihood of opportunistic attacks targeting vulnerable devices in Europe.

Since the D-Link DIR-600 affected versions are no longer supported and no official patches exist, organizations should prioritize replacing these devices with supported hardware running updated firmware. In the interim, network-level mitigations include: 1) Restricting access to the router’s management interface by implementing firewall rules that block inbound HTTP/HTTPS requests from untrusted networks; 2) Employing network segmentation to isolate legacy devices from critical infrastructure and sensitive data environments; 3) Deploying intrusion detection and prevention systems (IDS/IPS) to detect and block exploit attempts targeting the hedwig.cgi endpoint or anomalous Cookie header manipulations; 4) Monitoring network traffic for unusual HTTP header patterns indicative of exploitation attempts; 5) Disabling remote management features if not required; 6) Enforcing strict access controls and network authentication to reduce exposure; and 7) Conducting regular network scans to identify legacy devices still in use. Additionally, educating IT staff about the risks of unsupported devices and the importance of timely hardware lifecycle management is critical.