Critical Vulnerability in D-Link EOL Routers Allows Remote Code Execution
D-Link has issued a security announcement concerning several End-of-Life (EOL) and End-of-Service (EOS) router models, including the DSR-150, DSR-150N, DSR-250, and DSR-250N. The advisory highlights a stack buffer overflow vulnerability that could allow unauthenticated users to execute remote code. This critical issue affects all hardware revisions of these legacy routers running firmware versions 3.13 to 3.17B901C.
As of May 1, 2024, these models are no longer supported or patched by D-Link. According to the announcement, “Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link US.”
The reported vulnerability is a stack buffer overflow, a common but severe flaw that can lead to remote code execution (RCE). This allows attackers to potentially take full control of the device without authentication. Affected models include:
- DSR-150: All hardware revisions, firmware versions 3.13 to 3.17B901C.
- DSR-150N: All hardware revisions, firmware versions 3.13 to 3.17B901C.
- DSR-250: All hardware revisions, firmware versions 3.13 to 3.17B901C.
- DSR-250N: All hardware revisions, firmware versions 3.13 to 3.17B901C.
Given the severity of the vulnerability, D-Link has stated that no firmware updates or patches will be provided for these models, as they have reached the end of their support lifecycle.
D-Link strongly advises users to retire and replace these routers. “D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced,” the company emphasized. Continuing to use unsupported devices can leave networks exposed to critical vulnerabilities and increase the risk of data breaches.
For users unsure whether their devices are affected, D-Link recommends checking their model and firmware version through the legacy website links provided in the advisory.
