search menu icon-carat-right cmu-wordmark

CERT Coordination Center

D-Link routers HNAP service contains stack-based buffer overflow

Vulnerability Note VU#677427

Original Release Date: 2016-11-07 | Last Revised: 2017-03-08


D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.


CWE-121: Stack-based Buffer Overflow - CVE-2016-6563

Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha.

CVE-2016-6563 appears to affect:

    • DIR-823
    • DIR-822
    • DIR-818L(W)
    • DIR-895L
    • DIR-890L
    • DIR-885L
    • DIR-880L
    • DIR-868L
    • DIR-850L


A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.


Apply an update
D-Link has released firmware updates to address the vulnerabilities in affected routers. Please see their announcement.
If you are unable to update your device, please see the following workarounds:

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.

Vendor Information


D-Link Systems, Inc. Affected

Notified:  September 12, 2016 Updated: October 27, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8 E:POC/RL:W/RC:ND
Environmental 6.0 CDP:N/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Pedro Ribeiro ( of Agile Information Security for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2016-6563
Date Public: 2016-11-07
Date First Published: 2016-11-07
Date Last Updated: 2017-03-08 15:16 UTC
Document Revision: 23

Sponsored by CISA.