D-Link has another security flaw with older equipment that won't be repaired — D-Link told users to replace outdated NAS last week

News
By
published

Routers join NAS in the trash.

DSR 250N
(Image credit: D-Link)

A handful of legacy D-Link routers are susceptible to RCE (Remote Code Execution) threats as the company refuses to offer patches, stating that the devices have reached EOL (End Of Life) and suggests users trash them instead. This report follows a previous incident where D-Link failed to patch over 60,000 NAS devices and recommended users purchase newer models.

Going over the advisory, D-Link says attackers can execute code remotely (RCE) on these routers owing to a stack buffer overflow vulnerability. D-Link didn't share the exact specifics of this threat, possibly to ward off potential hackers. Even so, this unleashes a pandora's box of possible threats, including, but not limited to, data theft, malware and spyware installation, and DoS attacks. 

In other words, if you own the following routers: DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, or DSR-1000N; your data and privacy are at serious risk. A quick look over the report shows that four out of six of these routers were discontinued just this year. And — to no one's surprise — D-Link explicitly says, "If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it."

Here's a list of the specific models in question:

Swipe to scroll horizontally
ModelEnd Of Life Date
DSR-150May 1, 2024
DSR-150NMay 1, 2024
DSR-250May 1, 2024
DSR-250NMay 1, 2024
DSR-500NSeptember 30, 2015
DSR-1000NOctober 30, 2015

"D-Link US is prohibited to provide support for these EOL/EOS products. D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it."

D-Link

Users in the U.S. can snag a newer model at discounted rates — D-Link offers a 20% discount for those impacted by the flaw — but that doesn't fully compensate for the lack of patches, which leave a myriad of unsuspecting users at risk. Alternatively, the report says that various devices on this list are open to third-party firmware with unofficial patches — but going that route will void your warranty (not that it matters much anymore).

Recently, various NAS models from D-Link were found prone to the CVE-2024-10914 vulnerability — but due to EOL concerns, the firm declined to patch them and proposed users purchase new routers instead.

Given D-Link's recent spate of security flaws in its older devices, this news might deter potential customers or business partners. Nonetheless, if you think it's time for an upgrade, you can check out our Wi-Fi router list to get the best bang for your buck.

Hassam Nasir
Hassam Nasir
Contributing Writer

Hassam Nasir is a die-hard hardware enthusiast with years of experience as a tech editor and writer, focusing on detailed CPU comparisons and general hardware news. When he’s not working, you’ll find him bending tubes for his ever-evolving custom water-loop gaming rig or benchmarking the latest CPUs and GPUs just for fun.

8 Comments Comment from the forums
  • hotaru251
    OpenWrt(or similar opensource ones)

    honestly more people need to encourage using no longer supported routers w/ opensource stuff as its a waste to not use em just because official maker stops supporting em when they function perfectly fine.
    Reply
  • tek-check
    Show them a middle finger, spread the news of the shameless practice and never buy their products again.
    Reply
  • bill001g
    Seems home consumers are just finding out about this and are surprised what end of life means. I remember cisco life time warranty on switches which really means until they decide to declare it dead.

    Large enterprise equipment has had this issue for as long as I can remember. But like these dlink router they are basically ewaste. Who is really going to be running a router with 100mbps ports now days. Commercial equipment is generally replaced long before it hits end of life. Most companies dump not long after it hits end of support.

    At least they still function even with the hacking risk. There are many devices that will not function without some subscription and the company decides to no longer support it.
    Reply
  • newtechldtech
    tek-check said:
    Show them a middle finger, spread the news of the shameless practice and never buy their products again.
    show me one company that gives you support after EOL date ?
    Reply
  • Konomi
    tek-check said:
    Show them a middle finger, spread the news of the shameless practice and never buy their products again.
    If a product is EOL, support stops. If the product still receives patches, then it is not EOL. You cannot have EOL and still receive support, it's that simple. About time a company sticks to it.
    Reply
  • USAFRet
    tek-check said:
    Show them a middle finger, spread the news of the shameless practice and never buy their products again.
    Some of the listed devices are 15 years old, and EOL 8 years ago.

    This is absolutely normal.
    Reply
  • Alvar "Miles" Udell
    USAFRet said:
    Some of the listed devices are 15 years old, and EOL 8 years ago.

    This is absolutely normal.

    It's also normal for TH to publish these clickbaity articles, sadly.
    Reply
  • thestryker
    hotaru251 said:

    OpenWrt(or similar opensource ones)

    honestly more people need to encourage using no longer supported routers w/ opensource stuff as its a waste to not use em just because official maker stops supporting em when they function perfectly fine.
    Most routers with Broadcom processors simply cannot use anything of the sort due to no drivers and modern equipment has shaky support in general. If someone cares about security without big cost they should be running a minipc with pfsense/opnsense and keep wireless behind that.
    Reply