Search
On this page ▾
CVE-2020-29557 — D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability

CVE-2020-29557

D-Link DIR-825 R1 Router — Buffer Overflow in Web Interface Enables Unauthenticated Remote Code Execution; No Patch Available for Revision 1 Hardware
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

The D-Link DIR-825 is a wireless router with multiple hardware revisions (R1, R2, etc.). The R1 hardware revision runs a firmware version that has reached end-of-life and no longer receives security patches. The DIR-825's web-based management interface handles router configuration, wireless settings, and administrative functions. Consumer and small-business routers like the DIR-825 are frequently targeted by IoT botnets because they are internet-connected, often have management interfaces exposed by default or via UPnP, run outdated firmware, and are managed by users without dedicated security expertise.

Overview

CVE-2020-29557 is a buffer overflow vulnerability (CWE-119) in the web interface of D-Link DIR-825 R1 devices. The buffer overflow is exploitable remotely without authentication, potentially allowing arbitrary code execution on the router. D-Link has confirmed that the DIR-825 R1 hardware revision is end-of-life and will not receive a patch. CISA added this to KEV in November 2021, reflecting active exploitation by IoT botnets targeting vulnerable home and small business routers.

Affected Versions

Product Vulnerable Fixed
D-Link DIR-825 R1 (all firmware versions) Yes No patch — EOL hardware revision; replace or isolate
D-Link DIR-825 R2/R4/AC (other revisions) Verify Check D-Link advisory for revision-specific status

Technical Details

  • Root cause: Buffer overflow (CWE-119) in the DIR-825 R1 web interface — a CGI script or web server component does not properly validate the length of user-supplied input before copying it into a fixed-size buffer; a crafted HTTP request with an oversized parameter overwrites adjacent memory on the stack or heap, overwriting control flow data (return addresses, function pointers) to redirect execution to attacker-controlled code
  • Stack-based exploitation: Consumer router buffer overflows typically target the stack, allowing return address overwrite to redirect execution to shellcode; the MIPS architecture common in consumer routers (including many D-Link models) has specific exploitation techniques but is well-understood by IoT exploit developers
  • No authentication required: The buffer overflow is in an unauthenticated web interface component, allowing any network-accessible attacker to trigger the vulnerability without credentials
  • Router compromise impact: A compromised router can intercept, redirect, or inspect all network traffic from devices behind it; enable persistent backdoor access to the network; participate in DDoS botnets; or serve as a pivot for attacks on internal network devices
  • IoT botnet targeting: IoT botnets (Mirai, Moobot, and variants) systematically scan for router vulnerabilities on ports 80 and 8080; buffer overflows in router web interfaces are a common initial compromise vector for botnet recruitment

Discovery

Discovered and reported by security researchers in late 2020. D-Link confirmed the R1 hardware revision cannot receive updated firmware due to EOL status. CISA's November 2021 KEV addition reflects active exploitation of deployed EOL DIR-825 R1 routers by botnets and other threat actors.

Exploitation Context

Consumer routers running EOL firmware are persistently targeted because they are widely deployed, rarely updated, and frequently have management interfaces accessible from the internet (via ISP-assigned IP addresses or UPnP). The DIR-825 R1's buffer overflow enables full router firmware compromise, giving attackers control of the home or small business network boundary. IoT botnets have weaponized similar D-Link router vulnerabilities extensively — compromised routers are used for DDoS attacks, cryptomining, and as proxy infrastructure for subsequent attacks.

Remediation

  1. Replace the D-Link DIR-825 R1 — no firmware patch exists; this is the only permanent remediation for R1 hardware
  2. Disable remote management immediately: access router settings and ensure remote management (WAN administration) is disabled
  3. Change the router admin password to a strong, unique password to prevent credential-based access alongside the vulnerability
  4. Place the router behind an upstream router or firewall that blocks direct internet access to the management port
  5. If replacement is not immediately possible, segment any critical devices onto a separate VLAN or network isolated from the DIR-825
  6. Check for compromise indicators: unexpected outbound connections, unusual DNS activity, or router configuration changes made without administrator action

Key Details

PropertyValue
CVE ID CVE-2020-29557
Vendor / Product D-Link — DIR-825 R1 Devices
NVD Published2021-01-29
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-119 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-12-11Vulnerability reported and disclosed
2021-01-29CVE published; D-Link confirms no patch for DIR-825 R1 hardware revision
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
D-Link Security Advisory SAP10216 Vendor Advisory
NVD — CVE-2020-29557 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML