Security News > 2020 > December > D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws

Some of the impacted router models were first introduced in 2012 and appear to lack the same type of patching cadence as more modern D-Link router models.

The routers are common home networking devices sold at numerous retail outlets, which means that people working remotely due to the COVID-19 pandemic likely are exposing not only their own environments but also corporate networks to risk, Digital Defense researchers noted.

The second flaw is similar to the firm but requires an authenticated user with access to the "Unified Services Router" web interface to inject arbitrary commands that will be executed with root privileges, according to D-Link.

"D-Link has made a patch in the form of a hotfix for the affected firmware versions and models. Reference the information provided in D-Link's support announcement. The official firmware release is anticipated in mid-December. Users are advised to verify their hardware model and firmware to identify vulnerable devices and apply provided hotfix and any other updates until the official firmware is available," Digital Defense wrote.

A report released earlier this year found that most home routers contain a number of known vulnerabilities-sometimes hundreds of them-that remained largely unpatched, meaning that many of those currently working from home are likely at risk.

News URL

https://threatpost.com/d-link-routers-zero-day-flaws/162064/