D-Link warns of critical flaw in end-of-life routers, tells user to replace them
Take action: If you are using a D-Link router, check if it's on the list of vulnerable devices. If it is, you have two options - a third party firmware (possibly open source) or just replacing it with a device with support. Just don't ignore the problem, your router will be hacked.
Learn More
D-Link has disclosed a severe security vulnerability affecting multiple VPN router models, leading to an unprecedented recommendation for users to completely retire and replace affected devices rather than attempt patching or mitigation.
The critical vulnerability, which has not been assigned a CVE identifier, is a buffer overflow bug that enables unauthenticated Remote Code Execution (RCE). The discovery, credited to a security researcher known as 'desploit', has been deemed so serious that D-Link is intentionally withholding detailed information to protect users during the transition period.
These models are commonly deployed in homes and small businesses. The potential impact of this vulnerability is severe, with attackers potentially able to install rootkits, maintain persistent unauthorized access, conduct surveillance of organization's web traffic, steal credentials, perform adversary-in-the-middle attacks, and potentially deploy ransomware through network pivoting.
The vulnerability affects all hardware revisions of several D-Link VPN router models, including:
- DSR-150 (EOL May 2024)
- DSR-150N (EOL May 2024)
- DSR-250 (EOL May 2024)
- DSR-250N (EOL May 2024)
- DSR-500N (EOL September 2015)
- DSR-1000N (EOL October 2015)
D-Link has emphasized that no patches will be developed as these products have reached end-of-life status. The company is offering a 20% discount on their new DSR-250v2 model as a replacement option. D-Link also noted that while third-party firmware exists for many of these devices, its use is at the owner's risk.
The number of affected users and potential financial impact is not disclosed.
