Impact
The D‑Link DI‑8100 router is affected by an unchecked buffer overflow in the tgfile_htm CGI endpoint; the fn parameter is copied into a fixed‑size buffer without bounds checking, producing a classic stack corruption (CWE‑120) and an unsafe memory copy (CWE‑119). This flaw can be triggered remotely by sending a specially crafted HTTP request to tgfile.htm, enabling an attacker to write arbitrary data to memory and execute code with the privileges of the router’s web service. The impact is a complete compromise of the device if successfully exploited.
Affected Systems
Only the DI‑8100 model running firmware 16.07.26A1 is affected; other D‑Link router families or firmware revisions have not been reported as vulnerable.
Risk and Exploitability
The vulnerability has a CVSS score of 9.3, indicating critical severity, and a publicly available exploit demonstrates that exploitation is feasible. The EPSS score of 2% shows a low but non‑zero probability of exploitation, and the issue is not listed in the CISA KEV catalog. Because the attack can be launched from anywhere with network access to the device, the large population of exposed routers increases the risk of compromise.
OpenCVE Enrichment