Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.

Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn’t assigned it a CVE identifier or really said much about it at all other than that it’s a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk.

  • spechter
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 hours ago

    One of the models (DSR-150) has been released in 2012, went EOL in May and is listed on Amazon for <190$US.

    So honestly, if it’s part of your business’ critical infrastructure you probably threw it out some time ago.

    • cron@feddit.orgOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 hours ago

      You’re right, these devices are end of life and hopefully not near critical infrastructure.