Critical Command Execution Vulnerability Found in D-Link Routers That Will Not Be Patched

Recently, researchers discovered a serious vulnerability affecting many D-Link Routers. Upon an exploit, the flaw can lead to remote code execution by the attacker. However, the vendors have said they won’t be releasing a fix for this vulnerability.

RCE Vulnerability In D-Link Routers

Researchers from Fortinet discovered a serious security vulnerability affecting D-Link Routers. They found an unauthenticated command injection vulnerability that would allow for remote code execution.

The security flaw (CVE-2019-16920) affects different models of D-Link routers. These include DIR-655, DIR-866L, DIR-652, and DHP-1565

According to the vulnerability description,

The issue occurs when the attacker sends an arbitrary input to a “PingTest” device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise.

The flaw has received a critical severity rating with a CVSS score of 9.8 owing to its exploitability via remote attacks.

The researchers have presented their technical details of their vulnerability in a detailed report here.

Vendors Deny Any Fix

Following the discovery of the flaw, the researchers reported the matter to vendors on September 22, 2019. However, despite their quick acknowledgment of the flaw the very next day, the vendors denied a fix for it.The rational the company gave was due to routers affected by this vulnerability being at their End of Service Life. Therefore, D-Link won’t be working on a fix for them.

Therefore all users of these old routers are vulnerable to exploit. Thus, the only viable measure for users to prevent possible attacks is to upgrade their devices. This is what the vendors also advise.

We recommend replacing the device with a new device that is actively supported.  Using these devices are at your own risk, D-Link does not recommend further use.

Let us know your thoughts in the comments

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients