Security News > 2020 > December > D-Link VPN routers get patch for remote command injection bugs
A vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device.
Reported by Digital Defense's Vulnerability Research Team on August 11, the flaw is a root command injection that can be exploited remotely if the device's "Unified Services Router" web interface is reachable over the public internet.
"Consequently, a remote, unauthenticated attacker with access to the router's web interface could execute arbitrary commands as root, effectively gaining complete control of the router" - Digital Defense.
The router manufacturer explains that an attacker can slip malicious data into a command designed to calculate a hash that is processed by the "Os.popen()" function.
One of them is also a root command injection exploitable over an exposed "Unified Services Router" web interface but it requires authentication.