CVE-2025-5622 is a critical stack-based buffer overflow vulnerability identified in the D-Link DIR-816 router, specifically version 1.10CNB05. The flaw exists in the wirelessApcli_5g function, located in the /goform/wirelessApcli_5g endpoint. This function processes parameters such as apcli_mode_5g, apcli_enc_5g, and apcli_default_key_5g. Improper handling and validation of these input arguments allow an attacker to overflow the stack buffer remotely by sending crafted requests to this endpoint. Because the vulnerability is exploitable over the network without requiring authentication or user interaction, it poses a significant risk. Successful exploitation can lead to arbitrary code execution with the privileges of the affected service, potentially allowing full compromise of the router device. The vulnerability affects only an outdated and unsupported firmware version, meaning no official patches are available from the vendor. Although no exploits have been observed in the wild yet, the public disclosure of the vulnerability and its critical CVSS 9.3 rating indicate a high likelihood of exploitation attempts. The vulnerability impacts the confidentiality, integrity, and availability of the device and any network behind it, as attackers could intercept, manipulate, or disrupt network traffic or use the device as a foothold for further attacks.

For European organizations, this vulnerability could have severe consequences, especially for small and medium enterprises or home office environments that rely on the D-Link DIR-816 router model. Compromise of these routers could lead to unauthorized access to internal networks, interception of sensitive communications, and potential lateral movement to other critical systems. Given that the affected firmware is no longer supported, organizations may face challenges in securing these devices, increasing the risk of persistent threats. The impact is particularly critical for sectors handling sensitive personal data under GDPR, as exploitation could lead to data breaches and regulatory penalties. Additionally, compromised routers could be leveraged in botnets or distributed denial-of-service (DDoS) attacks, affecting broader network stability. The lack of vendor patches necessitates immediate mitigation to prevent exploitation, especially in environments where these routers are still operational.

Since the affected firmware version 1.10CNB05 is no longer supported and no official patches are available, organizations should prioritize the following mitigations: 1) Immediate replacement or upgrade of the D-Link DIR-816 routers to newer, supported models with updated firmware. 2) If replacement is not immediately feasible, isolate the vulnerable routers from critical network segments and restrict access to the /goform/wirelessApcli_5g endpoint via firewall rules or network segmentation to limit exposure. 3) Disable remote management features on the router to prevent external exploitation attempts. 4) Monitor network traffic for unusual activity indicative of exploitation attempts, such as malformed requests targeting the wirelessApcli_5g function. 5) Implement network-level intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts. 6) Educate users and administrators about the risks of using unsupported firmware and the importance of timely hardware lifecycle management. 7) Regularly audit network devices to identify and remediate unsupported or vulnerable equipment.