Recently Gianluca Pacchiella, researcher and specialist of a cyber security course published a blog post referring to CVE-2020-9544, a zero-day vulnerability involving the D-Link router DSL-2640B. “I did a security assessment on my old router, as I switched Internet service providers, so I installed a new one,” Pacchiella says.
In a very short way, the expert mentions how he detected the security issue, in addition to making some modifications to the device code: “I started by removing all code that is not strictly necessary; in the second line, for example, I extracted method, path and protocol“, mentions the cyber security course specialist.
After parsing a couple of possible headers, the
code checks whether the request is a POST and, if the path corresponds to a
specific string, loads the firmware and the function returns; the same applies
for updating router settings.
According to the cyber security course
specialist, this is a significant security threat, as a threat actor with
access to the same subnet could access the vulnerable device’s management web
interface and install its own version of the firmware without major setbacks.
Pacchiella claims that it decided to disclose the vulnerability for any D-Link
router user to access this information, as the risk of exploitation is really
The researcher adds that he sent his report to
the company, although he has not received any response. D-Link’s lack of
response is worrying, as the potential exploitation of this vulnerability is
trivial. In addition, Pacchiella states that correcting the flaw would be a
relatively simple process, indicating that the company simply has not wanted to
This is not the first time that D-Link equipment
users have pointed to company negligence, so multiple members of the
cybersecurity community have recommended stopping using their products.
For more information on recently encountered
security flaws, exploits, cyberattacks, and malware analysis, you can visit the
official website of the International Institute of Cyber Security
(IICS), as well as the official sites of tech companies.