Security News > 2020 > January > Remote Command Execution Vulnerability Affects Many D-Link Routers
Proof-of-concept exploits were recently made public by researchers for remote command execution and information disclosure vulnerabilities affecting many D-Link routers.
Miguel Méndez Zúñiga and Pablo Pollanco of Telefónica Chile recently disclosed the details of the vulnerabilities in a couple of blog posts published on Medium.
According to D-Link, the company first learned of the vulnerabilities in mid-October, but its initial security advisory only listed DIR-859 routers as being affected - this was the model on which the researchers conducted their tests.
An updated advisory published by the company late last year shows that the vulnerabilities actually impact over a dozen D-Link DIR models, including ones that are no longer supported.
The remote command execution vulnerability, tracked as CVE-2019-17621, is related to how UPnP requests are handled and it can allow an unauthenticated attacker to take control of vulnerable devices.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-30 | CVE-2019-17621 | OS Command Injection vulnerability in Dlink products The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. | 9.8 |