Critical Vulnerability in D-Link DIR-859 WiFi Routers Exploited by Hackers

June 29, 2024

Hackers have found a way to exploit a critical vulnerability in all D-Link DIR-859 WiFi routers to gather account information, including passwords. The security flaw, known as CVE-2024-0769, was made public in January. This flaw is a path traversal issue that results in information disclosure.

The flaw resides in the 'fatlady.php' file of the device and is present in all firmware versions. The device, D-Link DIR-859 WiFi router, has reached its end-of-life (EoL) and no longer receives updates. Despite this, D-Link released a security advisory explaining the flaw. The vulnerability allows attackers to leak session data, elevate privileges, and gain full control via the admin panel.

Given that the D-Link DIR-859 WiFi router is at EoL, D-Link is not expected to release a patch to fix CVE-2024-0769. As such, the manufacturer recommends that owners of the device transition to a supported device as soon as they can.

The threat monitoring platform GreyNoise has observed active exploitation of CVE-2024-0769. The attacks utilize a slight variation of the public exploit. The hackers are specifically targeting the 'DEVICE.ACCOUNT.xml' file to extract all account names, passwords, user groups, and user descriptions present on the device.

The attack involves a malicious POST request to '/hedwig.cgi,' exploiting CVE-2024-0769 to access sensitive configuration files ('getcfg') via the 'fatlady.php' file, which may contain user credentials. While GreyNoise has not established the attackers' motivations, the focus on user passwords suggests an intent to take over the device, thereby granting the attacker full control.

'It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch,' the researchers explain. 'Any information disclosed from the device will remain valuable to attackers for the lifetime of the device as long as it remains internet facing' - GreyNoise.

GreyNoise also noted that the public proof-of-concept exploit, which current attacks are based on, targets the 'DHCPS6.BRIDGE-1.xml' file instead of 'DEVICE.ACCOUNT.xml'. This means it could potentially be used to target other configuration files, thereby exposing configurations for access control lists (ACLs), NAT, firewall settings, device accounts, and diagnostics. Therefore, defenders should be aware of these potential targets for exploitation.

GreyNoise has provided a more extensive list of files that could be targeted in attacks exploiting CVE-2024-0769. This information is useful for defenders in case other variations of the attack occur.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.