CISA Alerts on Active Exploitation of Flaws in D-Link Routers and Chromium Browser

CVE-2021-40655

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to federal agencies and the wider public about three security vulnerabilities currently being exploited by malicious actors. These flaws, impacting widely-used D-Link routers and the Google Chromium browser engine, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate action.

CVE-2021-40655

Router Vulnerabilities Expose Users to Account Takeover

Two of the vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affect specific models of D-Link routers (DIR-600 and DIR-605). Attackers can exploit these flaws through Cross-Site Request Forgery (CSRF) attacks, which trick authenticated users into performing unintended actions. In this case, the consequences can be severe, including the creation of rogue administrator accounts and the exposure of sensitive user credentials.

Google Chromium Bug Allows Malicious Code Execution

The third vulnerability, CVE-2024-4761, resides in the V8 JavaScript engine that powers Google Chrome and other Chromium-based browsers. This out-of-bounds memory write flaw can be triggered through specially crafted web pages, potentially allowing attackers to execute arbitrary code on a victim’s system.

While Google has already patched this vulnerability in the latest Chrome releases, users who have not updated are strongly encouraged to do so immediately.

CISA Mandates Remediation for Federal Agencies

Under Binding Operational Directive (BOD) 22-01, federal agencies are required to remediate these vulnerabilities by June 6, 2024. CISA strongly recommends that all organizations, regardless of sector, take immediate action to protect themselves. This includes patching affected software, applying firmware updates, and following vendor-specific mitigation guidance.