Researchers from Greynoise have uncovered that attackers are actively exploiting the critical vulnerability CVE-2024-0769, which affects all Wi-Fi Routers D-Link models DIR-859. This vulnerability has been rated at 9.8 on the CVSS scale and poses a risk of bypassing the path to potentially leak information.
The attackers are leveraging this vulnerability to gather sensitive information, including user passwords. Greynoise has pointed out that the attacks target the “Device.account.xml” file, which contains account names, passwords, user groups, and descriptions.
In their attacks, hackers are using a modified version of a publicly available exploit to gain access to configuration files via Fatlady.php. They send a malicious post service to “Hedwig.cgi” to retrieve configuration files (“GetCFG”) and potentially access users’ study data.
Once they have obtained the accounts, attackers can take complete control of the device. Researchers have highlighted that the motives behind collecting this data are still unclear, but as long as vulnerable devices remain connected to the Internet, it will be valuable for attackers.
D-Link has confirmed that the routers in the DIR-859 series, first introduced in 2015, have reached the end of their life cycle and will no longer receive security updates. This means the vulnerability will go unaddressed, and the only way to secure the devices is to purchase a new router.
Researchers stress that the public POC-Exflict targets the DHCPS6.Bridge-1.xml file, not the “Device.account.xml,” allowing attackers to exploit other files. Greynoise’s post includes a list of potential variations of other configuration files that could be targeted using CVE-2024-0769.
Users of vulnerable routers are advised to replace outdated devices promptly to mitigate potential risks.