D-Link Urges Users to Replace VPN Routers Due to Unresolved RCE Vulnerability

November 19, 2024

D-Link, the networking hardware vendor, has alerted its customers about a critical unauthenticated, remote code execution vulnerability affecting certain end-of-life VPN router models. The flaw, which does not have a CVE assigned yet, was discovered and reported by a security researcher known as 'delsploit.' The researcher has refrained from releasing technical details to the public to prevent widespread exploitation attempts.

The vulnerability affects all hardware and firmware revisions of DSR-150 and DSR-150N, as well as DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C. These VPN routers, which are commonly used in home offices and small businesses, were sold globally and reached their end of service on May 1, 2024. D-Link has indicated in its advisory that it will not issue a security update for these models and advises customers to replace their devices promptly.

The company also mentioned the possibility of third-party open-firmware for these devices, but it does not officially support or recommend this practice. Using such software would void any warranty covering the product. The advisory bulletin reads, "D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it." If US consumers decide to continue using these devices, D-Link advises them to ensure the device has the latest known firmware, which can be found on the Legacy Website.

However, it is important to note that even the most recent firmware version does not protect the device from the RCE flaw discovered by delsploit, and no official patch will be released. This response is consistent with D-Link's strategy of not making exceptions for end-of-life devices when critical flaws are found, irrespective of the number of people still using these devices.

Earlier this month, another security researcher, 'Netsecfish,' disclosed details about CVE-2024-10914, a critical command injection flaw impacting thousands of end-of-life D-Link NAS devices. Although the vendor issued a warning, it did not release a security update. Last week, The Shadowserver Foundation reported active exploitation attempts. In the same week, security researcher Chaio-Lin Yu (Steven Meow) and Taiwan's computer and response center (TWCERTCC) disclosed three dangerous vulnerabilities, CVE-2024-11068, CVE-2024-11067, and CVE-2024-11066, affecting the end-of-life D-Link DSL6740C modem. Despite tens of thousands of exposed endpoints found in internet scans, D-Link chose not to address the risk.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.