Security News > 2020 > December > Unauthenticated Command Injection Flaw Exposes D-Link VPN Routers to Attacks
D-Link is working on releasing firmware updates to address two command injection vulnerabilities that affect multiple VPN router models.
Security researchers at Digital Defense identified a total of three vulnerabilities that affect several D-Link VPN routers, including authenticated and unauthenticated command injection flaws, and an authenticated crontab injection issue.
Initially discovered in DSR-250 routers running firmware version 3.17, the vulnerabilities were confirmed to affect other devices as well, namely D-Link DSR-150, DSR-250, DSR-500, and DSR-1000AC VPN routers running firmware versions 3.17 and earlier.
The most important of these bugs could allow an unauthenticated attacker able to access the "Unified Services Router" web interface over LAN or WAN to inject arbitrary commands that are executed with root privileges.
According to Digital Defense, exploitation of this vulnerability could essentially allow an unauthenticated attacker to gain complete control of the router.
News URL
Related news
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- D-Link tells users to trash old VPN routers over bug too dangerous to identify (source)
- Cisco fixes VPN DoS flaw discovered in password spray attacks (source)
- New Cisco ASA and FTD features block VPN brute-force password attacks (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- Fortinet VPN design flaw hides successful brute-force attacks (source)