- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.
Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn’t assigned it a CVE identifier or really said much about it at all other than that it’s a buffer overflow bug that leads to unauthenticated RCE.
Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk.
One of the models (DSR-150) has been released in 2012, went EOL in May and is listed on Amazon for <190$US.
So honestly, if it’s part of your business’ critical infrastructure you probably threw it out some time ago.
You’re right, these devices are end of life and hopefully not near critical infrastructure.