D-Link has refused to patch a serious security flaw that has affected the four models of its home routers. The vulnerability tagged as CVE-2019-16920 allows anyone to remotely execute code and gain access to the router. It has affected the following D-Link router models:
- D-Link DIR-655
- D-Link DIR-866L
- D-Link DIR-652
- D-Link DHP-1565
The flaw was discovered in September by Fortinet’s FortiGuard Labs and acknowledged by D-Link. According to a blog post by FortiGuard Labs, the flaw originates due to poor authentication process in the login action. It allows anyone to exploit the vulnerability without authentication by sending a special input to a “PingTest” device common gateway interface.
It could lead to bad actors to inject malicious command and compromise the complete system. An attacker could install a backdoor in the router to infiltrate the internet traffic passing through the router.
Interestingly, the critical flaw has the CVSS V3.1 base score of 9.8 and the CVSS V2.0 base score of 10.0.
Why Has D-Link Refused To Patch The Flaw?
D-Link says that the affected routers have reached their End of Service life and the company won’t release a patch to fix the security flaw. In an official announcement, the internet hardware manufacturing company said,
“There is no support or development for these devices. We recommend replacing the device with a new device that is actively supported. Using these devices are at your own risk, D-Link does not recommend further use,” the company added.
We recommend our readers to upgrade their routers if they own any of the affected home models to evade any attack.