CISA warns users to replace vulnerable D-Link routers as soon as possible

Polycount

Posts: 3,011   +589
Staff member
In brief: Network routers are a type of device that users tend to hold on to for far longer than they should. So long as they can still get connected to the internet, many users see no harm in keeping their old devices plugged in. However, the Cybersecurity & Infrastructure Agency (CISA) is reminding D-Link customers why that's not such a good idea: five more D-Link models have recently been added to the agency's list of vulnerable devices.

When a router reaches its end-of-life (as the units affected by this vulnerability have) exploits become far more serious. Manufacturers bear the responsibility to address these problems with fresh patches, but they generally don't push out updates for EOL devices (with a few rare exceptions).

The issue in question here is a "Remote Code Execution" vulnerability that exists in D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers. According to Malwarebytes Labs, attackers can take advantage of "diagnostic hooks" to make a Dynamic DNS call without proper authentication, allowing them to take control of affected routers.

Just in case this seems like only a hypothetical threat, it's worth noting that a proof-of-concept hack targeting this vulnerability already exists in the wild, thanks to Github user doudoudedi. As such, we -- and D-Link itself -- would recommend replacing any affected routers you might own as quickly as possible. It's always a shame to generate more e-waste, but in this case, it's the lesser of two evils.

Of course, it'd also be nice if router manufacturers supported their devices for longer: the 810L, for example, reached its EOL in 2019, but was first released in 2013, meaning it received less than 10 years of security patches.

At any rate, if you are in the market for a new device, consider checking out our list of the best Wi-Fi routers. We cover budget offerings as low as $70 and high-end enthusiast-grade options that hit the $300 mark.

Image credit: Stephen Phillips

Permalink to story.

 

BigRedPDX

Posts: 269   +187
D-Link hardware is terrible anyway. I like the Nighthawk routers and the Asus ROG routers. Anyone remember flashing old Linksys routers with TOAST? lol
 

Lionvibez

Posts: 2,638   +2,416
D-Link hardware is terrible anyway. I like the Nighthawk routers and the Asus ROG routers. Anyone remember flashing old Linksys routers with TOAST? lol

Dlink routers have terrible have been for along time now. I had a R7000 Nighthawk running Merlin firmware and that was great for 4 years. Now I'm using a Asus router also running merlin firmware and great. The Rog models are overpriced so wouldn't touch those.
 
Last edited:

Aaron Fox

Posts: 153   +90
Ambrose Bierce's definition of the corporation:

An ingenious device for obtaining individual profit without individual responsibility.

Mine:

A fiscal scheme designed to drain the life of the many and deposit it into the veins of the few.
 

Ben Myers

Posts: 197   +78
Dlink routers have terrible have been for along time now. I had a R7000 Nighthawk running Merlin firmware and that was great for 4 years. Now I'm using a Asus router also running merlin firmware and great. The Rog models are overpriced so wouldn't touch those.
I, too, have had only positive experiences with NetGear and Asus routers, replacing D-Link routers too old to run modern wifi, 802.11ac at minimum.
 
I switched out my routers to Mikrotik brand. I suspect no matter what brand of routers they will reach EOF support, especially residential types, except for Mikrotik since it is Linux in a box.
 

Lionvibez

Posts: 2,638   +2,416
I switched out my routers to Mikrotik brand. I suspect no matter what brand of routers they will reach EOF support, especially residential types, except for Mikrotik since it is Linux in a box.
Asus routers also used a modified version of linux.