D-Link routers are being hacked to steal customer passwords — but it says there is no patch

Pls share this post


Listen to this article

Threat actors are abusing a vulnerability in an outdated D-Link router to steal people’s sensitive data, researchers have claimed.

Cybersecurity experts from GreyNoise recently reported observing hackers in the wild, abusing a critical vulnerability in D-Link DIR-859 Wi-Fi routers. 

The flaw is described as a path traversal vulnerability that leads to information disclosure, and is tracked as CVE-2024-0769. It has a severity score of 9.8/10, and was first discovered in January 2024.

A fair warning

The researchers said that the threat actors are targeting the ‘DEVICE.ACCOUNT.xml’ file, in order to grab all account names, passwords, user groups, and user descriptions, found on the device. 

READ ALSO 
Surprisingly cheap Pro monitor provides unique features that even Apple Studio display doesn't — AOC's new monitors offer KVM capability, a whopping 11 ports and Hollywood-grade Calman software compatibility

The worst part is that the device reached end-of-life in early 2020, meaning D-Link will not be patching this flaw. Instead, users are advised to replace the hardware with a newer component that still receives vendor support. Still, D-Link released a security advisory warning its customers of a vulnerability discovered in the ‘fatlady.php’ component of the device. In the advisory, the company explained that the flaw affects all versions of the firmware, and allows threat actors to escalate privileges and gain full control of the device through the admin panel.

The researchers subtly criticized D-Link, suggesting that publishing a security advisory without a patch is meaningless. 

READ ALSO 
Nvidia CEO says don't give up learning new skills — just maybe leave programming to AI

“It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch,” the researchers said. 

“Any information disclosed from the device will remain valuable to attackers for the lifetime of the device as long as it remains internet facing.”

However, information such as this one can serve as a warning to motivate users into migrating towards a newer device, or at least to shift the responsibility of a potential data breach towards the consumer.

Via BleepingComputer

More from TechRadar Pro

READ ALSO  You can now send voice messages in Google Chat — and this could make things awkward

Source



Pls share this post
Previous articleHow to watch Portugal vs. Slovenia online for free
Next articleWindows 11 has never been so popular – but is a fresh surge of installations coming from a place of love or mere tolerance?