The D-Link EXO AX4800 router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port.
The D-Link DIR-X4860 router is a high-performance Wi-Fi 6 router capable of speeds of up to 4800 Mbps and advanced features like OFDMA, MU-MIMO, and BSS Coloring that enhance efficiency and reduce interference.
The device is particularly popular in Canada, and it's sold in the global market according to D-Link's website, and still actively supported by the vendor.
Today, the SSD Secure Disclosure team of researchers announced that they discovered flaws in DIR-X4860 devices running the latest firmware version, DIRX4860A1 FWV1.04B03, which enables unauthenticated remote command execution.
Accessing the Home Network Administration Protocol port on the D-Link DIR-X4860 router is relatively straightforward in most cases, as it's usually HTTP or HTTPS accessible through the router's remote management interface.
The SSD analysts have shared step-by-step exploitation instructions for the issues they discovered, making a proof-of-concept exploit now publicly available.
A follow-up login request with the HNAP AUTH header and the generated LoginPassword is sent to the target device, essentially bypassing authentication.
With authenticated access, the attacker then exploits a command injection vulnerability in the 'SetVirtualServerSettings' function via a specially crafted request.
The vulnerable 'SetVirtualServerSettings' function processes the 'LocalIPAddress' parameter without proper sanitization, allowing the injected command to execute in the context of the router's operating system.
SSD says it has contacted D-Link three times to share its findings with the router maker over the past 30 days, but all attempts to notify them have been unsuccessful, leaving the flaws currently unfixed.
BleepingComputer has also reached out to D-Link with a related request, and we are still waiting for a comment.
Until a security firmware update is made available, users of the DIR-X4860 should disable the device's remote access management interface to prevent exploitation.
Maximum severity Flowmon bug has a public exploit, patch now.
Google Chrome emergency update fixes 6th zero-day exploited in 2024.
Widely used modems in industrial IoT devices open to SMS attack.
Google fixes fifth Chrome zero-day exploited in attacks this year.
Exploit released for Palo Alto PAN-OS bug used in attacks, patch now.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 14 May 2024 22:10:47 +0000