Taiwanese networking hardware and telecoms equipment vendor D-Link has issued an urgent advisory to customers, warning them to replace several end-of-life (EoL) VPN router models after a high-risk unauthenticated, remote code execution (RCE) vulnerability was discovered.
The vulnerability exists due to a boundary error. A remote unauthenticated attacker can send specially crafted requests to the device, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
The affected models include DSR-150, DSR-150N, DSR-250, and DSR-250N, with all hardware versions and firmware revisions from 3.13 to 3.17B901C at risk.
The flaw was identified and privately reported to D-Link by a security researcher. As of yet, technical details remain undisclosed to prevent exploitation in the wild.
The company said that no patches or updates would be issued to address the flaw, as the impacted models officially reached their end-of-service status on May 1, 2024. The company strongly recommends that users replace these devices immediately to protect their networks from potential attacks.
The warning comes mere days after the company disclosed a critical command injection vulnerability (CVE-2024-10914) affecting legacy D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS devices, which is currently being exploited in the wild.