The vulnerability in the D-Link DIR825 Rev B includes cases up to firmware version 2.10 and includes the stack-based buffer overflow vulnerability (CVE-2025-10666) through how it processes countdown_time parameters posted to apply.cgi among other things. The vulnerability can cause the router's web server (httpd) to be unable to handle post requests of excessive lengths and will usually cause a buffer overflow, leading to a denial of service (DoS) once again.
The public knowledge about this vulnerability dates back to September 2025 when the vulnerability was raised and had been assigned a CVE number (CVE-2025-10666). In early February 2026, a simple proof of concept for the bug on Exploit DB (EDB-ID 52469) was found and created, which demonstrates the bug using the Python requests library, by Beatriz Fresno Naumova.
Key Notes on This Vulnerability
1. The impact is a denial-of-service attack on the public PoC that results in crashing/rebooting the web server (i.e., the httpd). Remote code execution has not been publicly demonstrated yet; however, it is often possible through exploitation of stack overflow vulnerabilities in embedded devices by carefully crafting payloads, such as ROP chains, if ASLR is absent or weak (a common characteristic of older router firmware).
2. Before a remote exploit can be conducted against the endpoint, the following requirements must be satisfied: the endpoint is normally not authenticated, or is at least only required to be on the LAN (with admin authentication for apply.cgi oftentimes not enforced for older D-Link models); and the endpoint must be accessible via the internet (Internet connectivity is not recommended).
3. Devices affected by this vulnerability are D-Link DIR-825 Rev.B systems running Firmware Version 2.10 or lower. D-Link has classified this product as End-of-Life and will not provide any security patches moving forward as they have classified this model as unsupported for a long time now.
4. In order to mitigate this vulnerability, the following recommendations are provided :
(a) Disable remote management/WAN access to the admin web interface
(b) Either place your router behind a more modern firewall or replace it entirely (preferably)
(c) If you are unable to replace your router, do not expose ports 80 or 443 to the internet and monitor for any unexpected reboots
(d) Consider flashing your router with OpenWrt or DD-WRT firmware if possible based on your hardware revision (make sure you check web-site compatibility).
5. Why is this important? There are still a large number of homes and small offices that continue to use this type of legacy router.
If you're testing this in a lab (please only do so on hardware you own, never production or unauthorized networks), start with smaller payloads (~500–1000 bytes) and increment gradually to pinpoint the exact crash threshold. Tools like pwntools or cyclic patterns (e.g., cyclic(5000)) help if you're hunting for control of the return address.
Stay safe out there, old routers are treasure troves for attackers precisely because they're forgotten but still online.
Source: Exploit DB