Security News > 2023 > October > D-Link WiFi range extender vulnerable to command injection attacks
The popular D-Link DAP-X1860 WiFi 6 range extender is susceptible to a vulnerability allowing DoS attacks and remote command injection.
An attacker within the extender's range can set up a WiFi network and deceptively name it similar to something the target is familiar with but include a tick in the name, like 'Olaf's Network,' for example.
If the attacker adds a second section to the SSID that contains a shell command separated by "&&" like "Test' && uname -a &&", the extender will be tricked to execute the 'uname -a' command upon setup/network scan.
All processes on the extender, including any commands injected by external threat actors, are run with root privileges, potentially allowing the attackers to probe other devices connected to the extender and further their network infiltration.
Owners of DAP-X1860 extenders are recommended to limit manual network scans, treat sudden disconnections suspiciously, and turn off the extender when not actively used.
Consider placing IoT devices and range extenders on a separate network isolated from sensitive devices holding personal or work data.