D-Link router DIR-859 vulnerability actively exploited by hackers
Take action: Time to replace your old D-Link DIR-859 WiFi router. It may be running well, but it's no longer supported and hackers are actively looking for such devices and exploiting them.
Learn More
Researchers at GreyNoise report that a critical vulnerability affecting all D-Link DIR-859 WiFi routers is being actively exploited by hackers to collect sensitive account information, including passwords.
The flaw, tracked as CVE-2024-0769 (CVSS score 9.8), is a path traversal issue that leads to information disclosure. The vulnerability affects all versions of the router firmware. It's an End-of-Life (EoL) device and no further updates are expected from D-Link.
Hackers exploit this flaw by targeting the 'DEVICE.ACCOUNT.xml' file to dump account names, passwords, user groups, and descriptions. The attack involves sending a malicious POST request to '/hedwig.cgi', which leverages CVE-2024-0769 to access sensitive configuration files through 'fatlady.php'. This method can potentially expose various configurations, such as access control lists (ACLs), NAT, firewall settings, and device accounts.
Other files that could be targeted include:
- ACL.xml.php
- ROUTE.STATIC.xml.php
- INET.WAN-1.xml.php
- WIFI.WLAN-1.xml.php
D-Link has issued a security advisory acknowledging the vulnerability but confirmed that no patches will be released due to the device reaching its end-of-life status. Owners of the D-Link DIR-859 routers are strongly advised to replace these devices with supported models to mitigate the risk.
