D-Link routers hacked to steal customer passwords, but it says there is no patch
Researchers claim that cybercriminals are exploiting a vulnerability in an outdated D-Link router to steal people’s sensitive data.
Cybersecurity experts at GreyNoise recently reported that they have observed hackers in the wild exploiting a critical vulnerability in D-Link DIR-859 Wi-Fi routers.
The flaw is described as a path traversal vulnerability leading to information disclosure and is tracked as CVE-2024-0769. Its severity score is 9.8/10 and the flaw was first discovered in January 2024.
A fair warning
According to the researchers, the attackers target the ‘DEVICE.ACCOUNT.xml’ file to obtain all account names, passwords, user groups and user descriptions on the device.
Worst of all, the device reached end-of-life in early 2020, meaning D-Link will not be patching the flaw. Instead, users are advised to replace the hardware with a newer component that is still supported by the vendor. However, D-Link has issued a security advisory warning customers about a vulnerability discovered in the ‘fatlady.php’ component of the device. In the advisory, the company explained that the flaw affects all versions of the firmware and could allow a malicious user to escalate privileges and gain full control over the device via the admin panel.
The researchers subtly criticized D-Link, stating that publishing a security advisory without a patch is pointless.
“It is unclear at this time what this disclosed information is for. It should be noted that these devices will never receive a patch,” the researchers said.
“Any information exposed from the device remains valuable to attackers for the lifetime of the device, as long as it remains facing the internet.”
However, information like this can serve as a warning sign to motivate users to migrate to a newer device, or at least shift the responsibility for a potential data breach to the consumer.
Through BleepingComputer