CVE-2022-37055

What is D-Link Routers?

D-Link is a major networking equipment manufacturer producing routers, switches, access points, and network cameras for consumers and small businesses. The affected models in CVE-2022-37055 are consumer-grade and small business routers that have reached end-of-life (EoL) or end-of-service (EoS) status — meaning D-Link no longer provides firmware updates, security patches, or technical support for them. EoL networking devices are particularly dangerous attack targets: they accumulate unpatched vulnerabilities over time, remain widely deployed due to users' reluctance to replace functioning hardware, and often have predictable firmware architectures that make vulnerability research straightforward.

Overview

CVE-2022-37055 is a critical buffer overflow vulnerability (CWE-120, CVSS 9.8) in D-Link routers, allowing an unauthenticated remote attacker to achieve code execution by sending a crafted network request that triggers a buffer overflow in the device's network service. The affected devices are end-of-life — D-Link has not released and will not release a patch. CISA added this to KEV in December 2025, more than three years after CVE publication, reflecting ongoing active exploitation of unpatched EoL D-Link devices in the wild. CISA's required action advises users to discontinue use of the product.

Affected Versions

Specific model numbers are documented in D-Link Security Announcement SAP10308. D-Link advises customers to retire and replace these devices.

Technical Details

The vulnerability (CWE-120: Buffer Copy without Checking Size of Input — "Classic Buffer Overflow") exists in a network-accessible service on the D-Link router. The service processes incoming network data without validating the length of user-supplied input before copying it into a fixed-size buffer on the stack or heap.

When a specially crafted request exceeding the expected buffer size is sent to the service, the overflow overwrites adjacent memory regions — including return addresses on the stack or function pointers. On MIPS-based embedded Linux devices (common for consumer routers), exploiting buffer overflows for code execution is well-understood, with established techniques for bypassing address space layout randomization (ASLR) in the typically limited ASLR implementations found on embedded devices.

Successful exploitation achieves code execution with the privileges of the vulnerable service — often root on consumer routers with limited privilege separation.

Discovery

Reported by security researchers examining D-Link router firmware. The 3+ year gap between CVE publication (August 2022) and KEV addition (December 2025) reflects that exploitation was eventually observed in the wild despite the EoL device status — likely by botnet operators who continue to incorporate old EoL device vulnerabilities into scanning and exploitation campaigns.

Exploitation Context

EoL D-Link routers are actively targeted by multiple botnet families — particularly Mirai variants and their successors — which scan for vulnerable devices at scale and incorporate them into DDoS infrastructure. These botnets maintain libraries of exploit code for numerous EoL device models that remain deployed despite vendor support ending.

The pattern of EoL device exploitation reflects:

• Consumer and small business users who replace hardware only when it fails, not when software support ends
• ISPs that deploy routers in customer premises and do not manage firmware updates
• The long operational lifespan of networking equipment (5–10+ years) vs. the short support window (3–5 years)

With no patch forthcoming, the only remediation is device replacement — but millions of EoL routers remain deployed globally.

Remediation

1. Replace the device: No patch is available or expected. CISA explicitly recommends discontinuing use. Purchase a currently supported router model.
2. Verify EoL status: Check D-Link's product support page to confirm whether your specific model is affected and whether it has reached EoL.
3. Disable remote management: As an interim measure until replacement, disable WAN-side remote management (if currently enabled) to reduce the attack surface.
4. Segment the device: If immediate replacement is not possible, isolate the device behind an additional security layer and restrict what it can reach on the internal network.
5. Monitor for compromise indicators: EoL routers that cannot be patched should be monitored for unusual traffic patterns indicating botnet incorporation or unauthorized configuration changes.
6. Check ISP for replacement programs: Some ISPs that supplied these routers may offer replacement programs for affected customers.