CISA Issues Alert on Active Exploitation of D-Link Path Traversal Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert following evidence of active exploitation of a critical vulnerability (CVE-2024-0769) in legacy D-Link DIR-859 WiFi routers.

The flaw, which enables attackers to gain unauthorized access and potentially full control over affected devices, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Details of the Vulnerability

CVE-2024-0769 is a path traversal vulnerability present in all hardware revisions and firmware versions of the D-Link DIR-859 router.

The flaw resides in the router’s HTTP POST request handler, specifically within the /hedwig.cgi file.

By manipulating the service argument, attackers can traverse directories and access sensitive configuration files such as DHCPS6.BRIDGE-1.xml or DEVICE.ACCOUNT.xml.

This allows them to leak session data, retrieve account names and passwords, and potentially escalate privileges to take full control of the device.

The vulnerability can be exploited remotely and does not require authentication, making it particularly dangerous for devices exposed to the internet.

The D-Link DIR-859 router reached its end-of-life (EOL) status in December 2020 and is no longer supported or patched by the manufacturer.

D-Link has issued a security advisory urging all users to retire and replace these devices immediately, as no fixes will be provided. Continued use of these routers leaves networks permanently vulnerable to exploitation.

While there is no confirmed evidence that this vulnerability is being used in ransomware campaigns, the ability to extract account credentials and gain administrative access poses significant risks.

Attackers could leverage compromised routers for further attacks within home or organizational networks, or use them as entry points for larger campaigns.

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply mitigations or discontinue use of the affected products by July 16, 2025, in accordance with Binding Operational Directive 22-01.

Although this directive is specific to federal agencies, CISA strongly urges all organizations and individuals to prioritize remediation of the vulnerability as part of their cybersecurity best practices.

Recommended actions include:

• Retiring and replacing all D-Link DIR-859 routers.
• Disabling remote management and using strong, unique passwords if immediate replacement is not possible.
• Monitoring router logs for suspicious activity and ensuring all devices are protected by updated security protocols.

As exploitation attempts increase, the risk to unpatched, internet-facing devices remains high.

Security experts warn that any data disclosed from compromised routers will continue to be valuable to attackers for as long as the devices remain operational and exposed.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates