What happened

CISA added CVE-2022-37055 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-12-08, signaling verified exploitation in the wild CISA KEV. The entry identifies a buffer overflow in D-Link routers with high impact to confidentiality, integrity, and availability CISA KEV. CISA’s record further warns that impacted hardware could be end-of-life or end-of-service and advises discontinuing use when mitigations aren’t available CISA KEV.

The vulnerability is categorized under CWE-120 (Classic Buffer Overflow), per the public vulnerability records NVD: CVE-2022-37055 and MITRE CVE-2022-37055. CISA’s required action for federal agencies is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use; the remediation due date listed is 2025-12-29 CISA KEV.

Why it matters

When a CVE lands in KEV, it means real adversaries are actively using it—not that it’s merely theoretically exploitable CISA KEV. Here, the target class is the network edge: D-Link routers. Compromise at the edge jeopardizes traffic confidentiality and device integrity, squarely aligning with the “high impact on confidentiality, integrity, and availability” noted by CISA CISA KEV.

Lifecycle status raises the stakes. CISA explicitly flags that affected products may be EoL/EoS—translation: patches might never arrive, and risk persists indefinitely CISA KEV. In those cases, discontinuation is not a nice-to-have; it’s the recommended course when mitigations do not exist CISA KEV. Organizations sitting on legacy SOHO/branch routers should expect that adversaries—and scanners—will find them first once a CVE is elevated to KEV CISA KEV.

Technical detail

CVE-2022-37055 is a classic buffer overflow (CWE-120), a class of memory corruption caused by writing outside allocated bounds NVD: CVE-2022-37055. While implementation specifics are not enumerated in the KEV landing page, the CWE classification indicates insufficient bounds checking in code paths handling input, which historically can lead to state corruption or process crashes MITRE CVE-2022-37055. The KEV entry describes high impact across confidentiality, integrity, and availability, consistent with the risks typically associated with buffer overflows on network infrastructure CISA KEV.

CISA’s record references the affected product simply as “D-Link Routers,” without listing specific models in the catalog text CISA KEV. Teams should treat any in-scope D-Link router model as suspect until confirmed otherwise against the canonical CVE entries and the vendor’s own advisories referenced by the public records NVD: CVE-2022-37055 MITRE CVE-2022-37055. Given KEV status, assume adversaries already know which firmware and services are vulnerable and are probing accordingly CISA KEV.

Defense

CISA’s required actions are explicit: apply mitigations per the vendor, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. For U.S. federal agencies, the KEV due date to remediate CVE-2022-37055 is 2025-12-29 CISA KEV.

Practical steps aligned to the KEV record:

• Identify and inventory any D-Link routers in use; treat them as potentially affected pending explicit vendor confirmation CISA KEV.
• If a mitigation or fixed firmware is available from the vendor, apply it immediately and validate the result against the public CVE references NVD: CVE-2022-37055 MITRE CVE-2022-37055.
• If the device is EoL/EoS or no mitigation exists, plan and execute discontinuation and replacement; this is directly recommended in KEV for affected products CISA KEV.

For incident response triage, prioritize any D-Link edge assets given the confirmed exploitation signal from KEV and validate configurations and firmware provenance before returning devices to service CISA KEV.

Lyrie Verdict

CVE-2022-37055 is now a live-fire router vuln. KEV status means exploitation is not hypothetical, and legacy/EoL exposure turns patch cycles into a dead end CISA KEV. Edge equipment demands decisions at machine speed: find it, classify it, and remove it from the blast radius before an operator even sees the ticket. Lyrie’s position is simple—tie asset intelligence to autonomous policy: when KEV flags a router class vuln with high CIA impact, auto-label D-Link edge nodes, enforce quarantine or traffic isolation, and block reintroduction until a verified mitigation is applied NVD: CVE-2022-37055. That’s how you beat active exploitation windows that open the moment a CVE hits KEV CISA KEV.