How is CVE-2026-10270 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely. Authentication (required): The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to send the malicious request. Victim interaction (not-required): No user interaction is needed; the attacker sends the crafted request directly to the API without involving another user. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10270?

A successful attacker achieves remote code execution on the router by overwriting the stack return address, gaining full control of the device process. Confidential data stored or passing through the device - including credentials, session tokens, and routing configuration - is readable by the attacker (VC:H). The attacker can modify persisted configuration, routing tables, or firmware state on the device (VI:H). The affected httpd service can be crashed or rendered unresponsive, cutting off management access and potentially disrupting network traffic flowing through the router (VA:H).

Back to search

HIGHCVE-2026-10270Published 2026-06-01Modified 2026-06-01CNA VulDB

CVE-2026-10270: D-Link DI-7001 MINI API httpd_debug.asp sprintf stack-based overflow

A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the D-Link DI-7001 MINI router firmware up to version 19.09.19A1. The flaw is in the sprintf call inside the httpd_debug.asp API handler, where an attacker can supply an oversized value for the Time argument to overflow a fixed-size stack buffer. A remote attacker with a low-privilege account can exploit this to execute arbitrary code on the device, read stored credentials, or disrupt the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-10270 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering both vendor-supplied and custom-built images that bundle affected D-Link firmware layers.

Available

Triage

Triage is available with the full CVSS v4.0 score of 8.7 (HIGH) surfaced alongside per-environment compliance policy weighting, so severity thresholds and owner routing rules defined by each customer org are applied automatically when the finding lands in the queue.

Available

Patch

No fix version has been published by D-Link for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released; for customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to send the malicious request.
Victim interactionNot required
No user interaction is needed; the attacker sends the crafted request directly to the API without involving another user.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker achieves remote code execution on the router by overwriting the stack return address, gaining full control of the device process.
Confidential data stored or passing through the device - including credentials, session tokens, and routing configuration - is readable by the attacker (VC:H).
The attacker can modify persisted configuration, routing tables, or firmware state on the device (VI:H).
The affected httpd service can be crashed or rendered unresponsive, cutting off management access and potentially disrupting network traffic flowing through the router (VA:H).

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against every customer image set, with the 8.7 HIGH score and compliance policy weighting applied to route findings to the appropriate team inbox. Because no upstream patch exists yet, HarborGuard re-evaluates the D-Link advisory on each ingest cycle and will surface a patched-image rebuild automatically once a fix version is published; for customers with auto-remediation enabled, the rebuild, regression run, and PR will fire without manual steps. In the meantime, compensating controls worth considering include network-policy isolation that restricts access to the device management interface to trusted subnets only, egress filtering to limit lateral movement if the device is compromised, and disabling or rate-limiting the httpd_debug.asp endpoint via firewall rules where the device configuration permits.

See how HarborGuard automates this

Affected packages

D-Link / DI-7001 MINI
19.09.19A1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified