CVE-2025-52222
Published: 08 April 2026
Summary
CVE-2025-52222 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Dlink Di-8100 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely patching of the buffer overflow flaw in the radius_asp function as per D-Link security bulletins.
Enforces validation of HTTP parameters like rd_en and rd_auth to reject oversized inputs before they trigger the buffer overflow in radius_asp.
Implements DoS protections such as rate limiting on the vulnerable HTTP endpoint to block crafted requests causing device crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing radius_asp endpoint on routers enables remote unauthenticated exploitation over HTTP, directly mapping to T1190; resulting device crash/reboot is a DoS outcome but no other Enterprise techniques are directly facilitated.
NVD Description
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the…
more
radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
Deeper analysisAI
CVE-2025-52222 is a buffer overflow vulnerability (CWE-120) affecting multiple D-Link router models and firmware versions, including DI-8003 v16.07.26A1, DI-8500 v16.07.26A1, DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1. The flaw resides in the radius_asp function, which can be triggered by specially crafted requests containing oversized values in parameters such as rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip. Published on April 8, 2026, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a malicious HTTP request to the vulnerable radius_asp endpoint, an attacker can overflow the buffer, leading to a denial-of-service condition such as device crashes or reboots. While the impact is limited to availability with no confidentiality or integrity effects, repeated exploitation could render the affected routers unavailable, disrupting network services for users relying on these devices.
Advisories and further details are available in the D-Link security bulletin at https://www.dlink.com/en/security-bulletin/ and a collection of IoT vulnerabilities on GitHub at https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md, which may provide guidance on patches or workarounds for the listed firmware versions.
Details
- CWE(s)