Networking hardware manufacturer D-Link over the weekend warned that its discontinued DIR-846 router model is affected by multiple remote code execution (RCE) vulnerabilities.
A total of four RCE flaws were discovered in the router’s firmware, including two critical- and two high-severity bugs, all of which will remain unpatched, the company said.
The critical security defects, tracked as CVE-2024-44341 and CVE-2024-44342 (CVSS score of 9.8), are described as OS command injection issues that could allow remote attackers to execute arbitrary code on vulnerable devices.
According to D-Link, the third flaw, tracked as CVE-2024-41622, is a high-severity issue that can be exploited via a vulnerable parameter. The company lists the flaw with a CVSS score of 8.8, while NIST advises that it has a CVSS score of 9.8, making it a critical-severity bug.
The fourth flaw, CVE-2024-44340 (CVSS score of 8.8), is a high-severity RCE security defect that requires authentication for successful exploitation.
All four vulnerabilities were discovered by security researcher Yali-1002, who published advisories for them, without sharing technical details or releasing proof-of-concept (PoC) code.
“The DIR-846, all hardware revisions, have reached their End of Life (‘EOL’) /End of Service Life (‘EOS’) Life-Cycle. D-Link US recommends D-Link devices that have reached EOL/EOS, to be retired and replaced,” D-Link notes in its advisory.
The manufacturer also underlines that it ceased the development of firmware for its discontinued products, and that it “will be unable to resolve device or firmware issues”.
The DIR-846 router was discontinued four years ago and users are advised to replace it with newer, supported models, as threat actors and botnet operators are known to have targeted D-Link devices in malicious attacks.
Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
Related: Exploitation of Unpatched D-Link NAS Device Vulnerabilities Soars
Related: Unauthenticated Command Injection Flaw Exposes D-Link VPN Routers to Attacks
Related: CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks
