D-Link reporting critical flaws in DIR-846W router, won't be fixed

D-Link has issued a warning regarding four remote code execution (RCE) vulnerabilities affecting all hardware and firmware versions of its DIR-846W routers. The DIR-846W routers were sold primarily outside the U.S., but they are still available in some markets, including Latin America. Despite reaching EOL in 2020, many users may still have these routers in operation.

The company will not be releasing any fixes for these flaws, as the devices have reached their end-of-life (EOL) and end-of-support (EOS) status.

The vulnerabilities, discovered by security researcher yali-1002 and disclosed on August 27, 2024, have been classified as follows:

• CVE-2024-41622 (CVSS score 9.8) - A critical RCE vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface.
• CVE-2024-44341 (CVSS score 9.8) - A critical RCE vulnerability via the lan(0)_dhcps_staticlist parameter, which can be exploited through a crafted POST request.
• CVE-2024-44342 (CVSS score: 9.8) - A critical RCE vulnerability via the wl(0).(0)_ssid parameter.
• CVE-2024-44340 (CVSS score 8.8) - An RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings, which requires authenticated access.

D-Link has acknowledged these vulnerabilities and their critical nature but stated that the company will not provide security updates since the DIR-846W router is no longer supported. According to D-Link’s standard policy, products that have reached their EOS/EOL will not receive any firmware updates, and users are strongly advised to retire and replace the affected router models immediately.

D-Link urges users still using DIR-846W routers to replace them with a currently supported model. If replacement is not immediately possible, users should ensure that the device is running the latest available firmware, use strong passwords for the web admin portal, and enable WiFi encryption.