D-Link WiFi range extender vulnerable to command injection attacks


The widely used D-Link DAP-X1860 WiFi 6 range extender has a vulnerability that allows DoS (denial of service) attacks and remote command injection. The device is currently accessible on D-Link’s website and has hundreds of ratings on Amazon, indicating that it is a popular choice among customers.

The vulnerability, tagged as CVE-2023-45208, was identified by a team of German researchers (RedTeam), who state that despite several attempts to warn D-Link, the vendor has stayed silent, and no remedies have been published. Technically, the issue stems from the libcgifunc.so library’s ‘parsing_xml_stasurvey’ function, which includes a system command for execution.

Read More…