Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet.
Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account.
The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.
To prevent abuse, Kaspersky researchers have refrained from disclosing the backdoor's account username and password.
The backdoor account (CVE-2018-6213) is just one of four vulnerabilities Kaspersky researchers found in the firmware of these devices following a recent security audit. The other three flaws include:
Both CVE-2018-6210 and CVE-2018-6213 are considered dangerous flaws as they allow attackers easy access to the device.
The good news is that D-Link DIR-620 devices are older router models and there aren't that many around to exploit.
Most of these devices were deployed by Russian, CIS, and Eastern European ISPs as on-premise equipment provided to broadband customers.
The vast majority of these devices are located in Russia, and Kaspersky said it already contacted ISPs to inform them of the issue.
Shodan searches for these devices reveal less than 100 DIR-620 routers available online, showing that most ISPs have heeded Kaspersky's warnings and restricted access to these devices on their networks.
Kaspersky experts said they've also contacted D-Link about the discovered issues, but the company said it did not intend to issue new firmware updates for such an older model unless one of the ISPs it has as an enterprise customer specifically request a security update for these devices.
Researchers said they tested the following DIR-620 firmware versions and found that they included the four flaws, in various degrees: