May 17, 2024 at 09:57AM
CISA added two D-Link product CVEs to its Known Exploited Vulnerabilities Catalog, urging federal agencies to address them promptly. The first CVE, CVE-2014-100005, affects decade-old security flaws in legacy D-Link routers. The second D-Link CVE added is CVE-2021-40655, an information disclosure bug in discontinued DIR-605 routers. CISA also included CVE-2024-4761, a recently patched Chrome zero-day.
The US cybersecurity agency CISA recently added two D-Link product CVEs to its Known Exploited Vulnerabilities (KEV) Catalog. The first CVE, CVE-2014-100005, pertains to decade-old security defects impacting legacy D-Link routers that have reached EOL status. These bugs, described as cross-server request forgery (CSRF) flaws, affect specific D-Link router models, allowing attackers to make configuration changes to vulnerable devices. CISA has urged federal agencies to address these vulnerabilities promptly.
The second CVE, CVE-2021-40655, is an information disclosure bug in discontinued D-Link DIR-605 routers, which enables attackers to obtain login credentials in plain text using forged POST requests. This issue impacts specific D-Link DIR-605 B2 devices, and proof-of-concept (PoC) code targeting it has been publicly available since 2021.
Furthermore, CISA also expanded the KEV list with CVE-2024-4761, a Chrome zero-day vulnerability that was patched earlier this week. At present, CISA has not provided details on the observed exploitation of any of these vulnerabilities.
Federal agencies are required, according to Binding Operational Directive (BOD) 22-01, to identify vulnerable devices and applications in their environments and apply recommended mitigations by June 6. It is crucial for federal agencies to take prompt action to address these cybersecurity vulnerabilities.