D-Link EXO AX4800 Zero-Day: Remote Hackers Exploit Unpatched Vulnerability
Experts from SSD Secure Disclosure have discovered vulnerabilities in the D-Link EXO AX4800 (DIR-X4860) router, which allow an attacker to gain complete control over the device.
The flaws were found in DIR-X4860 routers with the latest firmware version “DIRX4860A1_FWV1.04B03.” These vulnerabilities enable a remote, unauthenticated attacker with access to the HNAP port to obtain root privileges and execute commands remotely (Remote Code Execution, RCE). By combining authentication bypass with command execution, an attacker can fully compromise the device.
Access to the Home Network Administration Protocol (HNAP) port is not difficult, as it is typically available via HTTP (port 80) or HTTPS (port 443) through the router’s remote management interface.
SSD analysts have provided step-by-step instructions for exploiting the discovered vulnerabilities, making a Proof-of-Concept (PoC) publicly available. The attack begins by sending a specially crafted request to the router’s management interface, including the parameter ‘PrivateLogin’ set to “Username” and the username “Admin.”
The router responds with a callback, a cookie file, and a public key, which are used to generate a valid password for the “Admin” account. Then, a follow-up login request is sent with the HNAP_AUTH header and the generated LoginPassword, effectively bypassing authentication.
With the obtained access, the attacker then exploits a command injection vulnerability in the ‘SetVirtualServerSettings’ function using a specially crafted request. This function processes the ‘LocalIPAddress’ parameter without proper sanitization, allowing the injected command to be executed within the router’s operating system context.
SSD claims to have contacted D-Link three times over the past 30 days to share their findings, but all notification attempts have been unsuccessful, leaving the vulnerabilities unpatched. Until a firmware update is available, users of the DIR-X4860 router are advised to disable the device’s remote management interface to prevent exploitation of the vulnerabilities.
