"The root of the flaw lies in the routers' missing access restrictions and missing input validation in the command parameter," writes Threatpost's Christopher Brook. "Messner claims even unauthenticated users can target routers, trick them into landing on their own website and then execute malicious commands by injecting scripts."
"In a short test, The H's associates at heise Security found that many of the devices can even be accessed from the internet and managed to inject a harmless command into such a router," The H Security reports. "A real attacker could randomly exploit systems, for example to divert a router's entire internet traffic to a third-party server."
"In addition, the expert has found that administrator passwords are [stored] in plain text," writes Softpedia's Eduard Kovacs. "Cybercriminals can also easily modify passwords since the current password is not required during the process. The only requirement is for the attacker to have access to an authenticated browser."
When he provided D-Link with information on the vulnerabilities, Messner reports, "D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix."