Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

CISA has added two vulnerabilities in discontinued D-Link products to its KEV catalog, including a decade-old flaw.

The US cybersecurity agency CISA on Thursday added two D-Link product CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies to address them as soon as possible.

The first CVE, CVE-2014-100005, collectively tracks decade-old security defects impacting legacy D-Link routers that reached End-Of-Life (EOL) status.

Patched in March 2014 and described as cross-server request forgery (CSRF) flaws, these bugs impact DIR-600 Rev. Bx F/W: 2.16WW and below routers, allowing attackers to make configuration changes to vulnerable devices.

According to a NIST advisory, the CSRF flaws can be exploited remotely to “hijack the authentication of administrators for requests that create an administrator account or enable remote management via a crafted configuration module to hedwig.cgi, activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or send a ping via a ping action to diagnostic.php.”

Details on these issues were initially published by Infosec Institute’s Dawid Czagan in January 2014, but no exploitation reports have been published prior to CISA’s warning. Other vulnerabilities in D-Link DIR-600 routers, however, are known to have been targeted in the wild.

“This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions,” CISA warns.

Advertisement. Scroll to continue reading.

The second D-Link CVE added to CISA’s KEV list this week is CVE-2021-40655, an information disclosure bug in discontinued D-Link DIR-605 routers, which allows attackers to obtain login credentials in plain text, using forged POST requests.

The issue impacts D-Link DIR-605 B2 devices running firmware version 2.01MT and proof-of-concept (PoC) code targeting it has been available publicly since 2021.

On Thursday, CISA also expanded the KEV list with CVE-2024-4761, a Chrome zero-day patched earlier this week.  

The cybersecurity agency has not provided details on the observed exploitation of any of these vulnerabilities.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until June 6 to identify vulnerable devices and applications in their environments and apply the recommended mitigations.

Related: CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities

Related: CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.