D-Link VPN routers have more major security issues

the best VPN routers
(Image credit: Shutterstock)

A previously undisclosed vulnerability has been discovered in VPN routers from D-Link that could allow an attacker to take full control over the affected devices.

The Vulnerability Research Team (VRT) at the threat management firm Digital Defense discovered a root command injection flaw in D-Link's DSR-150, DSR-250, DSR-250, DSR-500 and DSR-1000AC VPN routers. 

Devices running firmware version 3.14 and 3.17 are vulnerable to potential attacks and this is made worse by the fact that D-Link's VPN routers are commonly available on many popular ecommerce sites such as Amazon Best Buy, Office Depot and Walmart. 

As more employees are working from home during the pandemic, some might be connecting to corporate networks using one of the affected devices which could put organizations at risk as well.

Command injection flaw

The vulnerable component of D-Link's VPN routers is accessible without authentication from both WAN and LAN interfaces and the flaw could even be exploited over the internet.

Additionally, a remote, unauthenticated attacker with access to the router's web interface could execute arbitrary commands as root which would effectively give them complete control of the router. With this access, an attacker could intercept or modify traffic, cause denial of service conditions and launch further attacks on other assets as D-Link routers can simultaneously connect to up to 15 devices.

SVP of engineering at Digital Defense Mike cotton explained how the firm responsibly disclosed the vulnerability to D-Link in a press release, saying:

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.” 

D-Link has now patched the flaw and released updated firmware for all of the affected routers. Users can check out the company's advisory on the issue for more information and it is highly recommended that they download and install the updated firmware for their device.

  • Also check out our complete list of the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.