Multiple D-Link End-of-Life Routers Vulnerabilities Let Attackers Execute Remote Code
D-Link, a prominent networking hardware manufacturer, has issued a critical security advisory urging users to retire and replace several end-of-life VPN router models due to a severe remote code execution (RCE) vulnerability.
The affected devices include all hardware revisions of DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, and DSR-1000N routers.
The vulnerability, discovered by security researcher ‘delsploit,’ allows unauthenticated users to execute remote code on the affected devices due to a stack buffer overflow issue.
D-Link has not assigned a CVE identifier to this flaw, likely to prevent widespread exploitation attempts.
Most of the impacted models reached their end-of-service life on May 1, 2024, with the DSR-500N and DSR-1000N having been discontinued in 2015.
D-Link has made it clear that they will not be releasing security updates for these devices, as their general policy is to cease all firmware development and support for products that have reached end-of-life status.
D-Link Response
The company strongly advises users to retire these routers immediately, warning that continued use may pose significant risks to connected devices.
For those who choose to keep using the affected routers against D-Link’s recommendations, the company suggests ensuring that the latest available firmware is installed, frequently updating the device’s unique password, and always enabling Wi-Fi encryption with a separate password.
To assist affected customers in the United States, D-Link is offering a 20% discount on the purchase of a newer model, the DSR-250v2 4-Port Unified Services VPN Router.
However, this offer does little to address the security concerns of users who may be unable or unwilling to upgrade immediately.
This incident follows a recent pattern of D-Link declining to patch critical vulnerabilities in end-of-life devices.
Earlier this month, the company faced criticism for not addressing a severe flaw affecting thousands of end-of-life NAS devices, despite reports of active exploitation attempts.
The situation shows the ongoing challenges in maintaining the security of older networking equipment and raises questions about manufacturers’ responsibilities towards users of legacy devices.
As cyber threats continue to evolve, users are increasingly caught between the need for up-to-date security and the desire to maximize the lifespan of their existing hardware.