D-Link Router Command Injection Vulnerability Actively Exploited in the Wild

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

D-Link has confirmed unauthenticated command injection vulnerabilities affecting multiple router models deployed internationally.

Active exploitation campaigns using DNS hijacking have been documented since late 2016, with threat actors continuing malicious activities through 2019 and beyond.

Multiple D-Link router models remain vulnerable to remote DNS modification attacks through unauthenticated web interfaces.

The vulnerabilities allow attackers to change Domain Name Server settings without authentication, redirecting user traffic to malicious infrastructure.

Exploitation Campaign Details

Security researchers have documented ongoing exploitation campaigns targeting home users and enterprise networks across multiple continents.

The affected routers lack proper input validation in their web configuration interfaces, allowing attackers to manipulate critical network settings remotely.

This vulnerability class poses a significant risk for DNS hijacking, malware distribution, and traffic interception. An extensive malvertising campaign first reported in December 2016 targeted at least 166 router models across multiple manufacturers, including D-Link.

Threat actors leveraged DNS hijacking to redirect users toward malicious advertisement servers and phishing infrastructure.

Security researchers discovered that attackers maintained persistent control over compromised routers by modifying DNS configurations, effectively intercepting all user traffic.

By April 2019, threat intelligence teams documented ongoing DNS hijacking activities targeting D-Link routers for three consecutive months.

Attackers utilized Google Cloud Platform infrastructure to launch attacks, distributing the DNSChanger malware variant. The vulnerability’s severity increased as threat actors developed automation tools and publicly disclosed exploits.

Affected Products and Firmware Versions

The following D-Link router models contain unauthenticated DNS modification vulnerabilities:

Model Hardware Revision Region Affected Firmware CVE/Exploit-DB
DSL-2740R All Rev. A Europe EU v1.15 and older EDB-35917
DSL-2640B All Rev. T Malaysia GE v1.07 and older EDB-42197
DSL-2780B All Rev. A AU/NZ/EU v1.01.14 and older EDB-37237
DSL-526B All Rev. B Australia AU v2.01 and older EDB-37241

Note: These models are primarily deployed outside the United States through regional carriers using custom firmware configurations.

D-Link recommends users perform factory resets, establish unique administrative passwords, and manually configure DNS settings using trusted providers.

Contact your regional carrier for official firmware patches. Alternatively, configure DNS servers directly through the device’s web interface at http://192.168.0.1 using Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1).

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post D-Link Router Command Injection Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.