CVE-2026-10270: D-Link DI-7001 MINI Stack-Based Buffer Overflow in httpd_debug.asp
D-Link DI-7001 MINI routers running firmware version 19.09.19A1 and earlier contain a stack-based buffer overflow in the web API debug interface. An attacker with valid login credentials can send a specially crafted request to the /httpd_debug.asp endpoint that overflows a buffer, potentially allowing arbitrary code execution on the device. Exploit code has been publicly disclosed, elevating near-term risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the sprintf function within /httpd_debug.asp, where the Time parameter is processed without proper bounds checking. This classic stack-based buffer overflow (CWE-119, CWE-121) can be triggered remotely but requires prior authentication. The condition—network-accessible service, low complexity exploitation, and high impact on confidentiality, integrity, and availability—yields a CVSS 3.1 score of 8.8 (HIGH). Public availability of exploit code significantly reduces the barrier to weaponization.
Business impact
Compromise of a D-Link DI-7001 MINI router allows attackers to assume full control of the device and the network it protects. An authenticated attacker can inject malicious code into the router's memory, potentially enabling traffic interception, lateral network movement, DNS hijacking, and persistent backdoor installation. For organizations relying on these devices as network perimeter equipment, this represents a direct threat to network confidentiality and operational integrity.
Affected systems
D-Link DI-7001 MINI 8G routers with firmware version 19.09.19A1 and earlier are vulnerable. Verify your device model (DI-7001MINI-8G) and check your current firmware version in the device administration panel. Firmware updates older than the patched version, and any legacy deployments that have not received security updates, remain at risk.
Exploitability
Exploitation requires valid credentials to access the web administration interface, which may be obtained through common attack vectors (phishing, credential compromise, default credentials). The low attack complexity and remotely-accessible API mean that once a valid user account is compromised, code execution is straightforward. The public release of exploit code and proof-of-concept materials substantially increases the likelihood of opportunistic attacks against unpatched installations. Organizations with exposed router interfaces or weak authentication posture face heightened immediate risk.
Remediation
Priority action: upgrade the router firmware to a version later than 19.09.19A1. Contact D-Link support or consult the device's firmware update portal for availability. Interim compensating controls include: (1) restrict web administration access to trusted IP ranges via firewall rules, (2) enforce strong, unique credentials on all administrative accounts, (3) disable remote management if not required, and (4) monitor administrative interface logs for suspicious activity or failed login attempts.
Patch guidance
D-Link has released firmware updates addressing this vulnerability. Visit the official D-Link support page for the DI-7001MINI-8G model and download the latest available firmware version higher than 19.09.19A1. Before applying patches in production, test in a lab environment. Coordinate rollout with your maintenance windows to minimize service disruption. Document the firmware version and update timestamp for compliance records. If your organization uses managed D-Link devices, contact your vendor or systems integrator for guidance on coordinated patching.
Detection guidance
Monitor for unexpected processes spawned from the httpd daemon or changes to the router's running processes and memory. Inspect web server logs for POST requests to /httpd_debug.asp with unusual parameter values, especially oversized Time parameters. Look for authentication failures followed by rapid administrative access attempts. Intrusion detection signatures targeting CWE-119/CWE-121 stack overflow patterns may trigger on malicious payloads. Conduct firmware integrity verification on affected devices to detect unauthorized modifications.
Why prioritize this
This vulnerability merits high priority due to: (1) CVSS 8.8 (HIGH) with maximum impact to C, I, and A, (2) public exploit availability reducing attack barriers, (3) direct access to network infrastructure enabling broad lateral movement, and (4) the authentication requirement, while protective, does not eliminate risk given credential compromise prevalence. Any D-Link DI-7001 MINI in production should be treated as urgent for patching.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a remote, unauthenticated network attack surface (AV:N) with low attack complexity (AC:L), a requirement for valid credentials (PR:L), no user interaction needed (UI:N), and high impact across all three security pillars—confidentiality, integrity, and availability (C:H/I:H/A:H). The 'L' in PR:L indicates that an attacker must already have gained a foothold (logged-in user status), which is a realistic scenario given compromised credentials or default passwords. The public disclosure of functional exploit code effectively elevates real-world risk beyond the baseline CVSS calculation.
Frequently asked questions
Do I need valid router admin credentials to exploit this vulnerability?
Yes. The vulnerability requires a valid login session to the router's web administration interface. However, this is not a strong barrier if default credentials have not been changed, credentials have been compromised, or an attacker can socially engineer legitimate users. Assume any internal attacker or compromised account holder is a threat.
What versions of D-Link DI-7001 MINI firmware are vulnerable?
Firmware version 19.09.19A1 and all earlier versions. Verify your current firmware by logging into the device or checking the System Settings page. If your version is 19.09.19A1 or lower, the device is vulnerable and should be updated immediately.
Can this vulnerability be exploited without network access?
No. The API endpoint is accessible only via the network interface(s) the router is connected to. However, if the router's administrative interface is exposed to the internet or accessible from a compromised internal network, remote exploitation becomes practical.
If I cannot patch immediately, what steps can I take?
Restrict web administration access to a trusted IP range or VLAN using firewall rules. Disable remote management if not essential. Enforce complex, unique passwords on all administrative accounts. Monitor logs for suspicious activity. These measures reduce attack surface but do not eliminate risk; patching should remain your priority.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The vulnerability details, including affected versions and CVSS scores, are based on the source data provided as of the publication and modification dates listed. Patch availability, firmware versions, and vendor guidance are subject to change; verify current information against D-Link's official security advisories and support channels before implementing mitigations. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence relative to your specific environment. Always test patches and mitigations in a controlled environment before production deployment. Unauthorized access to network devices remains illegal; this information is intended for defensive purposes only within authorized systems and networks. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow