PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers


The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port.

The D-Link DIR-X4860 router is a high-performance Wi-Fi 6 router capable of speeds of up to 4800 Mbps and advanced features like OFDMA, MU-MIMO, and BSS Coloring that enhance efficiency and reduce interference.

The device is particularly popular in Canada, and it's sold in the global market according to D-Link's website, and still actively supported by the vendor.

Today, the SSD Secure Disclosure team of researchers announced that they discovered flaws in DIR-X4860 devices running the latest firmware version, DIRX4860A1_FWV1.04B03, which enables unauthenticated remote command execution (RCE).

"Security vulnerabilities in DIR-X4860 allow remote unauthenticated attackers that can access the HNAP port to gain elevated privileges and run commands as root," reads SSD's disclosure.

"By combining an authentication bypass with command execution the device can be completely compromised."

Accessing the Home Network Administration Protocol (HNAP) port on the D-Link DIR-X4860 router is relatively straightforward in most cases, as it's usually HTTP (port 80) or HTTPS (port 443) accessible through the router's remote management interface.

Exploitation process

The SSD analysts have shared step-by-step exploitation instructions for the issues they discovered, making a proof-of-concept (PoC) exploit now publicly available.

The attack begins with a specially crafted HNAP login request to the router's management interface, which includes a parameter named 'PrivateLogin' set to "Username" and a username of "Admin".

The router responds with a challenge, a cookie, and a public key, and these values are used to generate a valid login password for the "Admin" account.

A follow-up login request with the HNAP_AUTH header and the generated LoginPassword is sent to the target device, essentially bypassing authentication.

Login request that bypasses the authentication stepLogin request that bypasses the authentication step
Source: SSD Secure Disclosure

With authenticated access, the attacker then exploits a command injection vulnerability in the 'SetVirtualServerSettings' function via a specially crafted request.

The vulnerable 'SetVirtualServerSettings' function processes the 'LocalIPAddress' parameter without proper sanitization, allowing the injected command to execute in the context of the router's operating system.

SSD says it has contacted D-Link three times to share its findings with the router maker over the past 30 days, but all attempts to notify them have been unsuccessful, leaving the flaws currently unfixed.

BleepingComputer has also reached out to D-Link with a related request, and we are still waiting for a comment.

Until a security firmware update is made available, users of the DIR-X4860 should disable the device's remote access management interface to prevent exploitation.