D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices.
The flaw was discovered and reported to D-Link by security researcher 'delsploit,' but technical details have been withheld from the public to avoid triggering mass exploitation attempts in the wild.
The vulnerability, which does not have a CVE assigned to it yet, impacts all hardware and firmware revisions of DSR-150 and DSR-150N, and also DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C.
These VPN routers, popular in home office and small business settings, were sold internationally and reached their end of service on May 1, 2024.
D-Link has made it clear in the advisory that they will not be releasing a security update for the four models, recommending customers replace devices as soon as possible.
The vendor also notes that third-party open-firmware may exist for those devices, but this is a practice that's not officially supported or recommended, and using such software voids any warranty that covers the product.
"D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it," reads the bulletin.
"If US consumers continue to use these devices against D-Link's recommendation, please make sure the device has the last known firmware which can be located on the Legacy Website."
Users may download the most current firmware for these devices from here:
It should be noted that even using the latest available firmware version does not protect the device from the remote code execution flaw discovered by delsploit, and no patch will be officially released for it.
D-Link's response aligns with the networking hardware vendor's strategy not to make exceptions for EoL devices when critical flaws are discovered, no matter how many people are still using these devices.
"From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”)," explains D-Link.
"D-Link may choose to EOS/EOL a product due to evolution of technology, market demands, new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology."
Earlier this month, security researcher 'Netsecfish' disclosed details about CVE-2024-10914, a critical command injection flaw impacting thousands of EoL D-Link NAS devices.
The vendor issued a warning but not a security update, and last week, threat monitoring service The Shadowserver Foundation reported seeing active exploitation attempts.
Also last week, security researcher Chaio-Lin Yu (Steven Meow) and Taiwan's computer and response center (TWCERTCC) disclosed three dangerous vulnerabilities, CVE-2024-11068, CVE-2024-11067, and CVE-2024-11066, impacting the EoL D-Link DSL6740C modem.
Despite internet scans returning tens of thousands of exposed endpoints, D-Link decided not to address the risk.
Comments
tverweij - 4 weeks ago
Indeed, time to replace them.
With devices from another manufacturer.
electrolite - 4 weeks ago
"From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”)," explains D-Link."
I think they meant to say "From time to time, D-Link will decide that some of its customers are SOL".
b1k3rdude - 4 weeks ago
Er how about D-lunk can go f*** themselves and users can install Open-WRT/DD-wrt or OpnSense.
https://oldwiki.archive.openwrt.org/toh/d-link/dsr-250n
schale01 - 4 weeks ago
If the are EOL then they should probably stop selling them on Amazon
D-Link VPN Router, 8 Port 10/100 with Dynamic Web Content Filtering (DSR-150) https://a.co/d/c7vI6II
DLink really needs to be held accountable for this and commit to security patches for at least 5 years AFTER they stop selling the product.
delg_trot - 3 weeks ago
If these routers (and, indeed, any technological product) have an "expiration date", they should be required to write such date on the label as any other product. If I cannot use a router because it has no security support is the same situations as if I cannot eat an alimentary product because its manufacturer cannot guarantee its safety beyond certain date. This must be included on the label so that I can make an informed purchase. And, of course, selling this router after its expiration date (EOL) should be considered a fraud or even an attack on public safety.
ruserious - 3 weeks ago
For the D-LINK DSR-150 it says "Last Day of Support: 12/31/2026" on the D-LINK page, so not releasing a security update or changing the EOL for the device is clearly a scam.