1.0 Introduction
Recently, D-Link has issued a critical advisory, urging users to promptly retire and replace several legacy router models due to their vulnerability to botnet exploits. These routers are being targeted by two botnets known as "Ficora" and "Capsaicin". The botnets exploit multiple known vulnerabilities, including CVE-2015-2051, CVE-2019-10891, CVE-2022- 37056, and CVE-2024-33112.
2.0 Impact
Compromised devices allows attackers to leverage weaknesses in the D-Link Management Interface (HNAP) to execute malicious commands via the “GetDeviceSettings” action. These attacks can lead to theft of sensitive data, execution of unauthorized shell scripts and deployment of large-scale Distributed Denial-of-Service (DDoS) operations.
3.0 Affected Product
- DIR-645: All hardware revisions, EOL as of December 31, 2018.
- DIR-806: All hardware revisions, EOL as of February 1, 2016.
- GO-RT-AC750: All hardware revisions, EOL as of February 29, 2016.
- DIR-845L: All hardware revisions, EOL as of March 1, 2016
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the D-Link security announcement and apply the necessary updates.
Kindly refer to the following URL:
Generally, Cyber999 advises users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17.30 MYT
Web: https://www.mycert.org.my
5.0 References