D-Link says it won’t patch 60,000 older modems because it’s not worth saving them
- Security researchers discover critical flaws in modems reaching end of life
- D-Link says it won’t patch them and recommends upgrading the hardware
- There are approximately 60,000 vulnerable devices available
Older D-Link routers are potentially vulnerable to more than one critical security issue that could allow threat actors to take over the devices. However, as they have reached end-of-life (EoL) status, the company says it will not be releasing any patches and advises users to replace the endpoints with newer models.
The news comes shortly after we reported that multiple D-Link NAS endpoints were found vulnerable to CVE-2024-10914, a command injection flaw with a severity score of 9.2. However, the company again said it would not release a fix as the affected devices have all reached EoL.
Now, security researcher Chaio-Lin Yu (Steven Meow) has found three bugs plaguing the D-Link DSL6740C modem. One is tracked as CVE-2024-11068, has a severity score of 9.8, and allows threat actors to change passwords via privileged API access. The other two are CVE-2024-11067 and CVE-2024-11066, and are a path traversal flaw and a Remote Code Execution (RCE) flaw, with scores of 7.5 and 7.2 respectively.
Tens of thousands of vulnerable endpoints
Currently, approximately 60,000 vulnerable devices are connected to the Internet, the majority of which are located in Taiwan. The model isn’t even available in the US, BleepingComputer states, since it reached EoL almost a year ago. With that in mind, D-Link said it would not address the flaw, and is proposing to “retire and replace D-Link devices that have achieved EOL/EOS.”
The same model is also vulnerable to four additional serious command injection flaws, the publication said, citing information from the Taiwan Computer and Response Center (TWCERTCC). These flaws are tracked as CVE-2024-11062, CVE-2024-11063, CVE-2024-11064, and CVE-2024-11065.
Users who cannot replace their routers at this time are advised to at least limit remote access and set secure access passwords, to minimize the chance of compromise. This would be a wise move since routers are one of the most targeted endpoints out there.