A popular D-Link Wi-Fi range extender device is susceptible to remote command injection and there is currently no fix available.
Security researchers have discovered that DAP-X1860 Mesh Wi-Fi 6 Range Extender device from D-Link is vulnerable to a command injection attack. The device is currently available for sale in stores and is a popular choice among consumers with thousands of reviews on Amazon. The command injection vulnerability is due to a lack of input sanitisation when the device parses Wi-Fi SSID names. The device is unable to parse SSID names which contains a single tick (‘) in the name. Instead it interprets the single tick as being a command terminator. This allows attackers to craft SSID names, that contains a shell command after the single tick and have that command executed by the D-Link Range Extender device. The injected commands will be run with root privileges allowing attackers to gain access to the device. The researchers reached out to D-Link to report the flaw in May 2023, but despite multiple follow-ups, did not receive any replies. The vulnerability does not seem to have been addressed and device owners are recommended to limit manual network scans, treat sudden disconnections as suspicious, and turn off the extender when not in use.
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860-remote-command-injection
https://www.bleepingcomputer.com/news/security/d-link-wifi-range-extender-vulnerable-to-command-injection-attacks/
This segment was created for the It’s 5:05 podcast