D-Link Refuses to Patch Critical Vulnerabilities in 60,000 Routers

By Ava McKinneyOnline Safety

D-Link Declines to Fix Critical Bug Affecting 60,000 Routers

Recently, D-Link announced it would not release patches for a critical vulnerability in its legacy NAS devices (CVE-2024-10914). Now, owners of 60,000 vulnerable D-Link routers, which are no longer supported, are facing a similar issue. The vulnerability allows a remote, unauthenticated attacker to change any user’s password and gain full control over the device. D-Link has stated that it will not be providing a fix for this issue.

Details of the Vulnerabilities

Several vulnerabilities were discovered in the D-Link DSL6740C router by independent security researcher Chaio-Lin Yu, who reported the issues to the Taiwan CERT (TWCERTCC). Support for these devices ended in early 2024. The main vulnerabilities are:

  • CVE-2024-11068 (CVSS score: 9.8): Allows unauthenticated attackers to change any user’s password via privileged API access. This gives the attacker unrestricted access to web services, SSH, and Telnet.
  • CVE-2024-11067 (CVSS score: 7.5): A path traversal bug that lets unauthenticated attackers read arbitrary system files, discover the device’s MAC address, and attempt to log in using default credentials.
  • CVE-2024-11066 (CVSS score: 7.2): Attackers with administrator rights can execute arbitrary commands on the host OS through a specific web page.

D-Link has published a security bulletin about these vulnerabilities, stating that no patches will be released. The company recommends users stop using outdated and vulnerable devices and replace them with newer models.

Scope of the Problem

According to FOFA search results, there are still about 60,000 vulnerable D-Link DSL6740C devices accessible on the internet, most of which are located in Taiwan.

Active Exploitation of NAS Vulnerability

It’s also worth noting that the critical CVE-2024-10914 vulnerability in D-Link NAS devices, which was disclosed a few days ago, is already being exploited by hackers. According to Shadowserver experts, attackers began targeting this vulnerability on November 12, 2024. Researchers strongly recommend immediately isolating vulnerable devices from the internet.

The affected NAS models include:

  • DNS-320 version 1.00
  • DNS-320LW version 1.01.0914.2012
  • DNS-325 versions 1.01 and 1.02
  • DNS-340L version 1.08

Leave a Reply