Follow @EthHackingNews |
D-Link warns of multiple remote code execution vulnerabilities impacting its discontinued DIR-846 router series. Networking hardware vendor D-Link wars of multiple remote code execution (RCE) vulnerabilities in its discontinued DIR-846 router model. The vulnerabilities CVE-2024-44341 and CVE-2024-44342 (CVSS score of 9.8) are two OS command injection issues. A remote attacker could exploit them to execute […] D-Link warns of multiple remote code execution vulnerabilities impacting its discontinued DIR-846 router series. Networking hardware vendor D-Link wars of multiple remote code execution (RCE) vulnerabilities in its discontinued DIR-846 router model. The vulnerabilities CVE-2024-44341 and CVE-2024-44342 (CVSS score of 9.8) are two OS command injection issues. A remote attacker could exploit them to execute arbitrary code on vulnerable devices. “D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability (CVE-2024-44341) via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.” reads the advisory. “D-Link DIR-846W Firmware A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability (CVE-2024-44342) via the wl(0).(0)_ssid parameter.” The vendor also addressed a remote command execution (RCE) vulnerability, tracked as CVE-2024-41622 (CVSS score of 8.8), that resides in the tomography_ping_address parameter in /HNAP1/ interface. The fourth issue addressed by the company is a high-severity RCE vulnerability, tracked as CVE-2024-44340 (with a CVSS score of 8.8), which can be exploited by an authenticated attacker. The security researcher Yali-1002 discovered the above vulnerabilities. The vendor recommends to retire and replace devices that have reached their End of Life (‘EOL’) /End of Service Life (‘EOS’) Life-Cycle. Routers are a privileged target for threat actors and botnet operators. In January, researchers from cybersecurity firm GreyNoise spotted exploitation attempts for the critical vulnerability CVE-2024-0769 (CVSS score 9.8) impacting all D-Link DIR-859 WiFi routers. The vendor stated that the DIR-859 family of routers has reached their End of Life (“EOL”)/End of Service Life (“EOS”) life-cycle, and for this reason, the flaw will likely not be addressed. Pierluigi Paganini Follow me on Twitter: @securityaffairs and Facebook and Mastodon (Security Affairs hacking, IoT)
Published: 2024-09-04T14:49:55
Follow @EthHackingNews |