CVE-2025-50647 - Vulnerability Details

- Buffer Overflow in D-Link DI-8003 QoS Web Interface

Description

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint.

Published: 2026-04-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A buffer overflow flaw exists in the QoS configuration page (qos.asp) of D‑Link DI‑8003 routers running firmware 16.07.26A1, where the "wans" parameter is processed without proper bounds checking. The overflow can corrupt memory and may result in a denial of service or, in the worst case, allow an attacker to execute arbitrary code on the device. The weakness is classified as a classic buffer overrun (CWE‑120).

Affected Systems

The issue specifically targets the D‑Link DI‑8003 model with firmware version 16.07.26A1. No other firmware releases are mentioned in the CVE data, so the impact on earlier or later releases is unknown.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector, based on the description, involves accessing the router’s web management interface at the qos.asp endpoint, which may require administrative credentials or the exploitation of weak or default passwords. The overall risk is moderate to high for routers that expose their management interface to untrusted networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:di-8003_firmware:16.07.26a1:*:*:*:*:*:*:*

cpe:2.3:h:dlink:di-8003:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Dlink

Di-8003

80%

Version	Status	Scheme	Platform
`16.07.26A1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the D‑Link security bulletin for an available firmware update that resolves this issue; if a patch is published, install it promptly.
If no updated firmware is available, block or disable the qos.asp endpoint or QoS functionality through firewall rules or by turning off QoS in the router settings.
Restrict access to the router’s web management interface to trusted IP ranges or internal networks only.
Ensure the device’s administrative password has been changed from any default value and is strong.
Monitor the router’s logs for anomalous access attempts to the web interface or unusual changes to QoS settings.

Generated by OpenCVE AI on April 13, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10505
https://www.dlink.com/en/security-bulletin/

History

Wed, 22 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10505

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in D-Link DI-8003 QoS Web Interface

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title	Buffer Overflow in D‑Link DI‑8003 WANS Parameter Leading to Potential Remote Code Execution
Weaknesses	CWE-119

Fri, 10 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink di-8003 Firmware
CPEs		cpe:2.3:h:dlink:di-8003:-:::::::* cpe:2.3:o:dlink:di-8003_firmware:16.07.26a1:::::::*
Vendors & Products		Dlink di-8003 Firmware

Fri, 10 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in D‑Link DI‑8003 WANS Parameter Leading to Potential Remote Code Execution
First Time appeared		Dlink Dlink di-8003
Weaknesses		CWE-119
Vendors & Products		Dlink Dlink di-8003

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint.
References		https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md https://www.dlink.com/en/security-bulletin/

Subscriptions

Dlink Di-8003 Di-8003 Firmware

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-08T00:00:00.000Z

Updated: 2026-04-22T15:28:02.067Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-50647

Vulnrichment

Updated: 2026-04-10T13:14:31.498Z

NVD

Status : Modified

Published: 2026-04-08T19:24:15.460

Modified: 2026-04-22T16:16:49.330

Link: CVE-2025-50647

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:40:36Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object