Around 60,000 outdated D-Link routers face a critical security vulnerability that permits unauthorized remote attackers to reset passwords and fully control the device. Security researcher Chaio-Lin Yu, also known as Steven Meow, discovered this flaw in the D-Link DSL6740C model and reported it to Taiwan’s cybersecurity response center (TWCERTCC).

This model, which reached its end-of-service (EoS) earlier this year, wasn’t available in the U.S. In a recent advisory, D-Link stated that they won’t be addressing the flaw, urging users to “retire and replace” affected end-of-life (EoL) devices.

Yu reported two additional vulnerabilities to TWCERTCC, an OS command injection and a path traversal issue:

Here’s a summary of the three critical flaws:
• CVE-2024-11068: This flaw lets unauthenticated attackers reset any user’s password via a privileged API, providing access to the device’s web, SSH, and Telnet services (CVSS v3 score: 9.8, “critical”).
• CVE-2024-11067: A path traversal vulnerability enables attackers to read system files, retrieve the MAC address, and attempt login using default credentials (CVSS v3 score: 7.5, “high”).
• CVE-2024-11066: Allows attackers with admin access to execute arbitrary commands on the host OS via a specific web page (CVSS v3 score: 7.2, “high”).

A search on FOFA shows nearly 60,000 DSL6740C modems exposed online, predominantly in Taiwan. TWCERTCC has also issued alerts for four other high-severity OS command injection vulnerabilities affecting this model, identified as CVE-2024-11062, CVE-2024-11063, CVE-2024-11064, and CVE-2024-11065.

Despite the substantial number of exposed devices, D-Link has reiterated in the past that EoL devices will not receive updates, even for critical issues. Users unable to replace the affected model are advised to at least disable remote access and use strong passwords.