D-Link has released firmware updates for its DIR-850L router to address a majority of the vulnerabilities disclosed recently by a security researcher.
Earlier this month, researcher Pierre Kim disclosed the details of several flaws affecting D-Link DIR-850L routers and the company’s mydlink cloud services. The expert decided to make his findings public without giving D-Link time to release fixes due to the way the vendor had previously handled patching and coordination.
D-Link has now released updates for both revision A and B of the firmware for DIR-850L devices. The company has provided detailed instructions for updating the firmware, which it says is a two-step process.
The vulnerabilities found by Kim include the lack of firmware protections, cross-site scripting (XSS), denial-of-service (DOS), and weaknesses that can be exploited to execute arbitrary commands.
The researcher also discovered that flaws in the mydlink cloud service, which allows users to access their D-Link devices from anywhere over the Internet, can be exploited by a remote and unauthenticated attacker to take complete control of a router.
Kim has analyzed the firmware updates and determined that a majority of the flaws he identified have been patched. The researcher said only a DoS issue does not appear to have been addressed properly, and he did not check some weak cloud protocol problems due to the process taking too much time.
A total of 18 CVE identifiers have been assigned by MITRE to the vulnerabilities in DIR-850L routers.
“I’m happily surprised by the results of dropping 0days without coordinated disclosure when it is about D-Link products,” Kim said. “Should this be the only method with D-Link to get working security patches in a timely manner? Hopefully one day a coordinated disclosure could work in the same way.”
Kim noted that he has identified another pre-authentication exploit that still works in revision B of the firmware.
D-Link also announced this week that a federal judge has dismissed three of the six counts in a complaint filed in January by the U.S. Federal Trade Commission (FTC) against the company over its alleged failure to implement proper security measures and making deceptive claims about the security of its products.
Related: Vulnerabilities, Backdoors Found in D-Link Mobile Hotspot
Related: D-Link Failed to Patch HNAP Flaws in Routers
Related: D-Link Patches Critical Flaw in DIR Routers

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- Cybersecurity M&A Roundup: 28 Deals Announced in September 2023
- Companies Address Impact of Exploited Libwebp Vulnerability
- Number of Internet-Exposed ICS Drops Below 100,000: Report
- Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks
- Recently Patched TeamCity Vulnerability Exploited to Hack Servers
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
Latest News
- Synqly Joins Race to Fix Security, Infrastructure Product Integrations
- ZDI Discusses First Automotive Pwn2Own
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
- Actor Tom Hanks Warns of Ad With AI Imposter
- Network, Meet Cloud; Cloud, Meet Network
- Dozens of Malicious NPM Packages Steal User, System Data
- Motel One Discloses Ransomware Attack Impacting Customer Data
