D-Link has announced it will not provide security patches for several older VPN router models affected by a serious remote code execution (RCE) vulnerability, instead offering customers a discount on newer hardware.
The vulnerability, discovered by security researcher 'delsploit', allows unauthorized users to remotely execute malicious code on affected devices through a stack buffer overflow exploit. While technical details remain undisclosed to prevent immediate exploitation, the flaw impacts multiple D-Link VPN router models including the DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, and DSR-1000N across all hardware and firmware versions.
The company states it will not address the security flaw since these models have reached their end-of-life (EOL) or end-of-support (EOS) dates. Four of the affected models are set to reach EOL in May 2024, while two others reached EOL in 2015. According to D-Link's policy, products that reach EOL/EOS status no longer receive firmware updates or security patches.
As a remedy, D-Link is offering affected customers a 20% discount on their DSR-250v2 router model, which is not impacted by the vulnerability. The company strongly advises users to upgrade their hardware, warning that continued use of affected devices could put connected networks at risk.
While third-party open-source firmware options exist for some affected models, D-Link cautions that installing such alternatives voids device warranties and becomes the user's sole responsibility.
This announcement follows a similar situation last month where D-Link declined to patch critical flaws in discontinued NAS devices. In 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) also recommended replacing certain D-Link routers due to unpatched RCE vulnerabilities in EOL devices.
The company's approach of offering discounts rather than security updates for vulnerable devices near their EOL dates raises questions about the lifecycle management of network security equipment and the costs imposed on consumers to maintain secure networks.