A critical remote code execution vulnerability, identified as CVE-2025-15194, affects end-of-life D-Link DIR-600 routers. An unauthenticated remote attacker can exploit this flaw by sending a malicious web request to take complete control of the device, potentially leading to network compromise, data theft, and further internal attacks. Since the product is no longer supported, no patch is available, making immediate device replacement the only effective remediation.

This vulnerability is a stack-based buffer overflow within the HTTP Header Handler component of the device's web server. A remote, unauthenticated attacker can trigger the overflow by sending a specially crafted HTTP request to the hedwig.cgi file containing an overly long Cookie header. Successful exploitation overwrites critical data on the stack, allowing the attacker to execute arbitrary code with the privileges of the web server on the device, resulting in a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of the affected network device, allowing an attacker to gain a foothold in the network perimeter. Potential consequences include interception and redirection of network traffic, eavesdropping on sensitive communications, launching attacks against internal network assets, and incorporating the compromised device into a botnet for use in larger-scale attacks like DDoS. For an organization, this represents a significant risk of data breaches, operational disruption, and reputational damage.

Immediate Action: The affected product is end-of-life and no longer supported by the vendor; therefore, no security patch will be released. The primary remediation is to immediately decommission and replace all vulnerable D-Link DIR-600 devices with a currently supported product. Until replacement is possible, restrict all access to the device's web management interface from the internet (WAN).

Proactive Monitoring: Monitor network traffic for anomalous requests targeting the hedwig.cgi file, particularly those with unusually large or malformed Cookie headers. Network intrusion detection systems (IDS) should be configured with signatures to detect known exploit attempts. Review firewall and web server logs for connections to the device's management interface from untrusted or external IP addresses.

Compensating Controls: If the device cannot be immediately replaced, implement the following controls:

• Ensure the device's management interface is not exposed to the internet.
• Implement strict firewall rules to limit all inbound and outbound traffic to and from the device to only what is absolutely necessary for its function.
• Place the device in a segmented network zone to limit an attacker's ability to move laterally into the corporate network if the device is compromised.

Public Exploit Available: true

Due to the critical severity (CVSS 9.8), the availability of a public exploit, and the lack of a vendor patch, this vulnerability poses an immediate and unacceptable risk. We strongly recommend that all D-Link DIR-600 routers be identified and removed from the environment as a top priority. While this CVE is not currently on the CISA KEV list, its characteristics make it a likely candidate for widespread exploitation, and organizations should treat its remediation with the utmost urgency.