June 29, 2024 at 11:24AM
Hackers are exploiting a critical vulnerability (CVE-2024-0769) in D-Link DIR-859 WiFi routers to access sensitive data, including account information and passwords. Despite the router being end-of-life, D-Link has released a security advisory warning about the flaw in the “fatlady.php” file. This issue poses a significant security risk, and users are urged to switch to a supported device. The active exploitation activity is observed using a variation of the public exploit, with attackers targeting configuration files to gain full control of the device. GreyNoise has warned about the potential for further exploitation and urges defenders to stay vigilant.
Summary of Meeting Notes:
– Hackers are actively exploiting a critical vulnerability (tracked as CVE-2024-0769 with a severity score of 9.8) affecting D-Link DIR-859 WiFi routers to gather account information, including passwords.
– The security issue, a path traversal flaw in the “fatlady.php” file, was disclosed in January, affecting all firmware versions and leading to information disclosure, session data leakage, privilege escalation, and potential full control of the device via the admin panel.
– D-Link has disclosed the flaw in a security advisory but is not expected to release a fixing patch for CVE-2024-0769, as the router model has reached end-of-life.
– GreyNoise has observed active exploitation of CVE-2024-0769, targeting the ‘DEVICE.ACCOUNT.xml’ file to retrieve account information, including account names, passwords, user groups, and user descriptions.
– The attackers’ motivation is unclear, but they are likely aiming for device takeover, as the retrieved account information could allow them full control of the device.
– Public proof-of-concept exploit variations target different configuration files, indicating potential for broader exploitation beyond ‘DEVICE.ACCOUNT.xml’.
– GreyNoise provides a list of other potential target files for exploitation and emphasizes the need for defenders to be aware of and prepared for any variations in attacks exploiting CVE-2024-0769.
Please let me know if there are any additional details needed or any further assistance required.