Security News > 2024 > May > PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers
The D-Link EXO AX4800 router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port.
The D-Link DIR-X4860 router is a high-performance Wi-Fi 6 router capable of speeds of up to 4800 Mbps and advanced features like OFDMA, MU-MIMO, and BSS Coloring that enhance efficiency and reduce interference.
Accessing the Home Network Administration Protocol port on the D-Link DIR-X4860 router is relatively straightforward in most cases, as it's usually HTTP or HTTPS accessible through the router's remote management interface.
The attack begins with a specially crafted HNAP login request to the router's management interface, which includes a parameter named 'PrivateLogin' set to "Username" and a username of "Admin".
The vulnerable 'SetVirtualServerSettings' function processes the 'LocalIPAddress' parameter without proper sanitization, allowing the injected command to execute in the context of the router's operating system.
Exploit released for Palo Alto PAN-OS bug used in attacks, patch now.
News URL
Related news
- QNAP QTS zero-day in Share feature gets public RCE exploit (source)
- POC exploit code published for 9.8-rated Apache HugeGraph RCE flaw (source)
- Exploit code for Palo Alto Networks zero-day now public (source)
- Prompt Hacking, Private GPTs, Zero-Day Exploits and Deepfakes: Report Reveals the Impact of AI on Cyber Security Landscape (source)
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (source)
- New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now (source)
- PoC exploit for Ivanti EPMM privilege escalation flaw released (CVE 2024-22026) (source)