Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

D-Link Patches Critical Router Vulnerabilities

D-Link has released patches for critical vulnerabilities that could allow attackers to execute arbitrary code and commands on routers.

D-Link vulnerabilities

Taiwanese networking hardware maker D-Link on Monday announced patches for multiple critical-severity vulnerabilities that could lead to remote code execution.

Two of the critical flaws, tracked as CVE-2024-45694 and CVE-2024-45695 (CVSS score of 9.8), are described as stack-based buffer overflow issues in the web service of several wireless routers.

Both security defects, D-Link notes in its advisory, can be exploited by remote, unauthenticated attackers to execute arbitrary code on the affected devices.

Another critical bug, tracked as CVE-2024-45697 (CVSS score of 9.8), may allow remote attackers to log in to vulnerable routers and execute system commands using hardcoded credentials.

“Certain D-Link wireless router models have hidden functionality: the telnet service is enabled when the WAN port is plugged in,” D-Link explains.

The manufacturer also released fixes for CVE-2024-45696, a high-severity vulnerability that could allow attackers to enable the telnet service and use hardcoded credentials to log in to the device.

“The attacker can forcibly enable the telnet service and log in using hard-coded credentials by sending specific packets to the web service. The telnet service enabled through this method can only be accessed from within the same local network as the device,” D-Link explains.

Another high-severity issue that D-Link has resolved exists because user input is not properly validated in the telnet service of certain wireless router models. The flaw is tracked as CVE-2024-45698.

Advertisement. Scroll to continue reading.

“This allows unauthenticated, remote attackers to use hard-coded credentials to log into the telnet and inject arbitrary OS commands, which can then be executed on the device,” the manufacturer explains.

The five bugs impact D-Link’s COVR-X1870, DIR-X5460, and DIR-X4860 wireless routers. Firmware upgrades that resolve the security defects were released on September 13, the company says.

D-Link also revealed that the issues were reported to it via TWCERT (the Taiwan Computer Emergency Response Team/Coordination Center) on June 8, and that the reporter published information on the bugs before the company could release patches.

“The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer,” D-Link said.

Related: Cisco Patches High-Severity Vulnerabilities in Network Operating System

Related: Apache Makes Another Attempt at Patching Exploited RCE in OFBiz

Related: GitLab Security Update Patches Critical Vulnerability

Related: Nvidia Patches Many Vulnerabilities in Windows, Linux Display Drivers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.