Security News > 2020 > December > WARNING — Critical Remote Hacking Flaws Affect D-Link VPN Routers
Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks-even if they are secured with a strong password.
Discovered by researchers at Digital Defense, the three security shortcomings were responsibly disclosed to D-Link on August 11, which, if exploited, could allow remote attackers to execute arbitrary commands on vulnerable networking devices via specially-crafted requests and even launch denial-of-service attacks.
D-Link DSR-150, DSR-250, DSR-500, and DSR-1000AC and other VPN router models in the DSR Family running firmware version 3.14 and 3.17 are vulnerable to the remotely exploitable root command injection flaw.
The flaws stem from the fact that the vulnerable component, the "Lua CGI," is accessible without authentication and lacks server-side filtering, thus making it possible for an attacker - authenticated or otherwise - to inject malicious commands that will be executed with root privileges.
As organizations have scrambled to adapt to remote work and offer secure remote access to enterprise systems, the change has created new attack surfaces, with flaws in VPNs becoming popular targets for attackers to gain entry into internal corporate networks.
News URL
Related news
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- D-Link tells users to trash old VPN routers over bug too dangerous to identify (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- D-Link won’t fix critical bug in 60,000 exposed EoL modems (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- QNAP addresses critical flaws across NAS, router software (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- Over 25,000 SonicWall VPN Firewalls exposed to critical flaws (source)