D-Link won't patch its older VPN routers, leaving critical vulnerability unaddressed

Instead, it is offering a 20% discount on a newer model

• Facebook
• Twitter
• WhatsApp
• Reddit
• Comments

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust.

A hot potato: D-Link is strongly recommending that users of its older VPN routers replace the devices following the discovery of a serious remote code execution (RCE) vulnerability. As the models have reached their end of life and end of support dates, they won't be patched to protect against the flaw.

The vulnerability, reported to D-Link by security researcher 'delsploit,' hasn't been assigned a CVE identifier. The technical details have not been revealed, either, giving customers time to react before cybercriminals start attempting to exploit it. We do know that it's a stack buffer overflow vulnerability, which allows unauthenticated users to execute remote code execution.

All hardware versions and firmware versions of the following devices have been affected:

• DSR-150 (EOL May 2024)
• DSR-150N (EOL May 2024)
• DSR-250 (EOL May 2024)
• DSR-250N (EOL May 2024)
• DSR-500N (EOL September 2015)
• DSR-1000N (EOL October 2015)

D-Link emphasizes that it will not be releasing patches for the four affected models as they have all reached EOL or EOS, most of them in May 2024 and a couple in 2015. The company writes that its general policy is that when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases.

D-Link strongly recommends that owners of these routers upgrade to a newer model as any further use may be a risk to the devices connected to it.

The D-Link DSR 150 router

The company is trying to placate those who might be annoyed at this by offering a 20% discount on a new service router (DSR-250v2), which is not affected by the vulnerability.

// Related Stories

• D-Link will not fix a critical vulnerability in discontinued NAS devices
• New attack methods work against Spectre mitigations in modern PC CPUs

D-Link also notes that while third-party open-firmware is available for many of the affected devices, using it voids the warranty and is solely the responsibility of the device's owner.

This is the second time in a month that D-Link has confirmed it will not patch at-risk devices that have reached their end-of-life / end-of-service status. The Taiwanese firm recommended that owners of its discontinued NAS devices upgrade to newer models as they won't be patched to protect against a critical command injection flaw.

In 2022, the Cybersecurity & Infrastructure Security Agency (CISA) advised consumers to replace D-Link routers with an RCE vulnerability, as the devices had reached their end of life and would no longer receive patches.