Security News > 2020 > December > Unauthenticated Command Injection Flaw Exposes D-Link VPN Routers to Attacks
D-Link is working on releasing firmware updates to address two command injection vulnerabilities that affect multiple VPN router models.
Security researchers at Digital Defense identified a total of three vulnerabilities that affect several D-Link VPN routers, including authenticated and unauthenticated command injection flaws, and an authenticated crontab injection issue.
Initially discovered in DSR-250 routers running firmware version 3.17, the vulnerabilities were confirmed to affect other devices as well, namely D-Link DSR-150, DSR-250, DSR-500, and DSR-1000AC VPN routers running firmware versions 3.17 and earlier.
The most important of these bugs could allow an unauthenticated attacker able to access the "Unified Services Router" web interface over LAN or WAN to inject arbitrary commands that are executed with root privileges.
According to Digital Defense, exploitation of this vulnerability could essentially allow an unauthenticated attacker to gain complete control of the router.
News URL
Related news
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers (source)
- PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- Massive brute force attack uses 2.8 million IPs to target VPN devices (source)
- SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN (source)