What vulnerability does the D-Link DAR-7000 device have?

The D-Link DAR-7000 device is vulnerable to SQL injection. This vulnerability is tracked as CVE-2023-42406 with a CVSS3 score of 9.8.

What can attackers do by exploiting this vulnerability?

By exploiting this flaw, attackers could potentially obtain administrative rights, allowing them to run unauthorized commands on affected devices.

What is the status of the DAR-7000 model?

The DAR-7000 model, for all hardware revisions in all regions, reached its End of Service Life on 12/31/2015.

What precautions should consumers take if they continue using EOL products?

Consumers should ensure the device runs the latest firmware from the Legacy Website, regularly update the device's access password, and enable WIFI encryption with a unique password.

Advisory

D-LINK DAR-7000 vulnerable to critical SQL Injection

Q: Does D-Link provide support for products that reach End of Support (EOS) or End of Life (EOL)?

D-Link products that reach EOS or EOL no longer receive development or customer support. D-Link US can't assist with issues related to these products.

published: Oct. 28, 2023

Learn More

The D-Link DAR-7000 device is vulnerable to SQL injection. Exploiting this flaw, attackers could potentially obtain administrative rights, letting them run unauthorized commands on affected devices. The vulnerability is tracked as CVE-2023-42406 (CVSS3 score of 9.8).

The DAR-7000 is a legacy router that's not sold on the US market.

A Proof-of-Concept (PoC) illustrating the exploit is published on GitHub. The vulnerability is present in the /sysmanage/editrole.php endpoint of the device, which is susceptible to SQL injection. To exploit this flaw, a hacker can send a specially designed payload, like

“hid_id=(select*from(select(sleep(3)))a)”

to the vulnerable endpoint, leading to a successful breach of the system.

Status of the model

Model	Region	Hardware Revision	End of Service Life
DAR-7000	All Regions	All H/W Revisions	12/31/2015

D-Link products that reach End of Support ("EOS") or End of Life ("EOL") no longer receive development or customer support. D-Link US can't assist with issues related to these products. Customers outside the US should contact their regional D-Link office or their service provider if the device was supplied by them.

While some EOL products may have third-party open-firmware available, D-Link doesn't support this, and using it voids the warranty. D-Link advises retiring these products to avoid risks. If still in use, consumers should ensure the device runs the latest firmware from the Legacy Website and regularly update both the device's access password and enable WIFI encryption with a unique password.

D-LINK DAR-7000 vulnerable to critical SQL Injection