South Korean security researcher Pierre Kim has published details about ten vulnerabilities he discovered in the firmware of D-Link DIR 850L routers.
The researcher published the details without giving D-Link the chance to fix the flaws. Kim says he took this step after reporting similar issues in D-Link products in February that the company ignored.
The reported flaws can be exploited from both the router's internal (LAN) and external (WAN) connections to grant attackers the ability to intercept traffic, upload malicious firmware, or get root privileges.
In addition, the researcher also discovered vulnerabilities in the MyDLink cloud service that device owners use to connect to their routers at home, from a remote connection, via Internet.
Below are summaries for all the flaws Kim discovered:
"Due to difficulties in previous exchange with Dlink, full-disclosure is applied," the researcher wrote in a security advisory he published this week, which also details each security flaw in more depth.
"Their previous lack of consideration about security made me publish this research without coordinated disclosure," Kim added. "I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet."
Victor Gevers, security researcher and chairman of the GDI Foundation, estimates the number of D-Link 850L routers at around 95,000.
The doomed domain of D-Link.— Victor Gevers (@0xDUDE) September 10, 2017
94,155 D-Link 850L routers are exposed after a researcher made a full disclosure on it's exploitable flaws. pic.twitter.com/3doHr1wG6o
In a statement emailed to Bleeping Computer, D-Link says it's investigating the disclosed flaws and will provide a firmware update as soon as it becomes available via support.dlink.com.
In January, the FTC took D-Link to court because the Taiwanese hardware manufacturer failed to take action and secure devices when security flaws were reported.
UPDATE [September 12, 18:35 ET]: Article updated with D-Link reply.