CVE-2025-5623 is a critical stack-based buffer overflow vulnerability identified in the D-Link DIR-816 router, specifically affecting firmware version 1.10CNB05. The vulnerability resides in the qosClassifier function within the /goform/qosClassifier endpoint. It arises from improper handling and validation of the dip_address and sip_address parameters, which can be manipulated remotely by an attacker to overflow the stack buffer. This overflow can lead to arbitrary code execution, allowing an attacker to potentially take full control of the affected device without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, increasing its risk profile. Although the affected product is no longer supported by D-Link, the exploit code has been publicly disclosed, raising the likelihood of exploitation by threat actors. The CVSS v4.0 base score of 9.3 reflects the high severity, with attack vector being network-based, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The lack of vendor patches due to end-of-life status means that affected devices remain vulnerable unless mitigated by other means.

For European organizations, the exploitation of CVE-2025-5623 could have significant consequences. Many small and medium enterprises (SMEs), as well as some home office environments, may still use legacy D-Link DIR-816 routers due to cost or lack of awareness. Successful exploitation could lead to full compromise of the router, allowing attackers to intercept, manipulate, or disrupt network traffic, potentially leading to data breaches, lateral movement within corporate networks, or denial of service. This is particularly critical for organizations relying on these devices as their primary network gateway or for quality of service management. The absence of vendor support and patches increases the risk of persistent exploitation. Additionally, compromised routers could be leveraged as part of botnets or for launching further attacks, impacting broader network stability and security within European infrastructure.

Given the lack of official patches, European organizations should prioritize the following mitigations: 1) Immediate inventory and identification of all D-Link DIR-816 routers running version 1.10CNB05 or similar legacy firmware. 2) Replace affected devices with currently supported and patched hardware models to eliminate the vulnerability. 3) If replacement is not immediately feasible, isolate the vulnerable routers from critical network segments and restrict access to the /goform/qosClassifier endpoint via firewall rules or network segmentation. 4) Monitor network traffic for unusual patterns indicative of exploitation attempts, such as unexpected requests to the qosClassifier endpoint or anomalous outbound connections. 5) Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting this vulnerability or related exploit behaviors. 6) Educate IT staff and users about the risks of using unsupported network devices and the importance of timely hardware lifecycle management. 7) Regularly review and update network device inventories and security policies to prevent reliance on unsupported equipment.