Security News > 2021 > July > D-Link issues hotfix for hard-coded password router vulnerabilities
D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.
The CVE-2021-21818 and CVE-2021-21820 hard-coded password and credentials vulnerabilities [1, 2] exist in the router's Zebra IP Routing Manager and the Libcli Test Environment functionality.
It makes it possible to start a "Hidden telnet service can be started without authentication by visiting https:///start telnet" and log into the Libcli test environment using a default password stored in unencrypted form on the router.
The table below lists the vulnerable router models and links to the updated firmware version containing the fix.
D-Link has patched other severe vulnerabilities in multiple router models in the past, including remote command injection bugs enabling attackers to take complete control of vulnerable devices.
Previously, the company fixed five critical vulnerabilities impacting some of its routers that made it possible for threat actors to steal admin credentials, bypass authentication, and execute arbitrary code in reflected Cross-Site Scripting attacks.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-16 | CVE-2021-21820 | Use of Hard-coded Credentials vulnerability in Dlink Dir-3040 Firmware 1.13B03 A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. | 7.5 |
| 2021-07-16 | CVE-2021-21818 | Use of Hard-coded Credentials vulnerability in Dlink Dir-3040 Firmware 1.13B03 A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. | 5.0 |