CVE-2026-4555 identifies a critical stack-based buffer overflow vulnerability in the D-Link DIR-513 router, specifically firmware version 1.10. The vulnerability resides in the formEasySetTimezone function within the boa embedded web server component, which processes HTTP requests at the /goform/formEasySetTimezone endpoint. The flaw arises from improper validation and handling of the curTime parameter, allowing an attacker to supply a crafted input that overflows the stack buffer. This overflow can overwrite the return address or other control data on the stack, enabling remote code execution under the privileges of the web server process. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. Although the device is no longer supported and no official patches are available, a public exploit has been released, increasing the likelihood of exploitation in the wild. The affected device is typically deployed in small office or home office environments, but may still be found in legacy network infrastructure. The boa web server component is a lightweight embedded HTTP server commonly used in IoT and networking devices, and its vulnerabilities can lead to full device compromise. Due to the end-of-life status of the DIR-513, mitigation options are limited to network-level controls or device replacement.

The impact of CVE-2026-4555 is significant for organizations still operating the D-Link DIR-513 router with firmware version 1.10. Exploitation can lead to remote code execution, allowing attackers to fully compromise the device. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, and use of the device as a foothold for further attacks. Confidentiality is at risk as attackers may capture sensitive data passing through the router. Integrity and availability can be compromised by attackers modifying configurations or causing denial of service. Since the device is no longer supported, no security updates are forthcoming, leaving affected networks exposed. The availability of a public exploit increases the risk of automated attacks and widespread compromise. Organizations using this device in critical network segments or with sensitive data are particularly vulnerable. Legacy or unmanaged devices in enterprise or industrial environments could serve as entry points for attackers, undermining overall network security.

Given the lack of vendor support and absence of official patches, organizations should prioritize replacing the D-Link DIR-513 devices with modern, supported hardware that receives regular security updates. If immediate replacement is not feasible, network segmentation should be implemented to isolate the vulnerable device from critical systems and sensitive data. Deploy firewall rules to restrict access to the device’s management interface, allowing only trusted IP addresses or internal networks. Monitor network traffic for anomalous requests targeting /goform/formEasySetTimezone or unusual HTTP POST requests that could indicate exploitation attempts. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability or exploit patterns. Disable remote management features if enabled, or restrict them to secure VPN connections. Regularly audit network devices to identify legacy or unsupported hardware and maintain an asset inventory to prevent unmanaged exposure. Educate network administrators about the risks of legacy devices and the importance of timely hardware lifecycle management.