CVE-2024-45694: D-Link DIR-X5460 Firmware RCE Vulnerability

CVE-2024-45694 Overview

CVE-2024-45694 is a stack-based buffer overflow vulnerability in the web service of D-Link DIR-X5460 and DIR-X4860 wireless routers. The flaw allows unauthenticated remote attackers to send crafted requests to the router's HTTP management interface and execute arbitrary code on the device. Successful exploitation grants full control of the affected router, exposing the network behind it to traffic interception, lateral movement, and persistent malware deployment. The vulnerability is tracked under [CWE-121: Stack-based Buffer Overflow] and was disclosed through TWCERT.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on affected D-Link routers over the network, resulting in complete device compromise.

Affected Products

• D-Link DIR-X5460 (hardware revision A1) firmware versions 1.01, 1.02, 1.04, and 1.10
• D-Link DIR-X4860 (hardware revision A1) firmware versions 1.00 and 1.04
• All deployments exposing the router's web management interface to untrusted networks

Discovery Timeline

• 2024-09-16 - CVE-2024-45694 published to NVD
• 2024-09-17 - Last updated in NVD database

Technical Details for CVE-2024-45694

Vulnerability Analysis

The vulnerability resides in the embedded web service that serves the router's administration interface. The web service processes HTTP request data into fixed-size stack buffers without validating the length of attacker-controlled input. When an oversized value is supplied, the copy operation writes past the end of the stack buffer and overwrites adjacent stack data, including the saved return address.

Because the web service runs with elevated privileges on the router and is reachable before authentication, an attacker can hijack control flow without any credentials or user interaction. On MIPS-based and ARM-based SOHO routers such as the DIR-X5460 and DIR-X4860, attackers typically chain return-oriented programming gadgets to execute shellcode, spawn a reverse shell, or load a persistent implant.

Root Cause

The root cause is the absence of bounds checking on user-supplied data copied into a stack buffer in the web service binary. The implementation relies on unsafe string handling instead of length-bounded alternatives, allowing input of arbitrary size to corrupt the stack frame.

Attack Vector

The attack vector is network-based and pre-authentication. An attacker sends a malformed HTTP request to the router's web management port, typically TCP/80 or TCP/443. Devices that expose management to the WAN interface are reachable directly from the internet, while LAN-only deployments remain exploitable by any host on the local network, including compromised IoT clients or guest devices.

No verified public exploit code is available at this time. Technical details are described in the TWCERT Security Advisory.

Detection Methods for CVE-2024-45694

Indicators of Compromise

• Unexpected HTTP POST or GET requests to the router's web administration interface containing unusually long parameter values or header fields
• Outbound connections from the router to unknown internet hosts, including reverse shells on non-standard ports
• Unauthorized changes to DNS, DHCP, or firewall configuration on the affected device
• New or modified firmware components and persistence scripts on the router file system

Detection Strategies

• Inspect network traffic to router management interfaces for HTTP requests with oversized parameters or anomalous URI lengths
• Correlate router log entries for repeated crashes, watchdog reboots, or web service restarts that may indicate failed exploitation attempts
• Use network intrusion detection signatures targeting buffer-overflow patterns in HTTP request bodies destined for D-Link administration endpoints

Monitoring Recommendations

• Forward router syslog and authentication events to a centralized logging platform for retention and analysis
• Baseline normal management-plane traffic and alert on connections to the router's web UI from non-administrator hosts
• Monitor for outbound traffic originating from router IP addresses to internet destinations, which usually indicates compromise

How to Mitigate CVE-2024-45694

Immediate Actions Required

• Disable remote (WAN-side) administration on DIR-X5460 and DIR-X4860 devices until a fixed firmware version is applied
• Restrict access to the router web interface to a dedicated management VLAN or trusted administrator hosts
• Replace default administrative credentials and audit existing accounts on affected routers
• Apply the firmware update referenced in the TWCERT Security Advisory as soon as D-Link makes it available for your model

Patch Information

D-Link has been notified through TWCERT. Administrators should consult the TWCERT Security Notification and the D-Link support portal for the specific firmware build that addresses CVE-2024-45694 on DIR-X5460 hardware revision A1 and DIR-X4860 hardware revision A1.

Workarounds

• Block inbound TCP/80 and TCP/443 to the router WAN interface at the upstream firewall or ISP gateway
• Place the router management interface behind a VPN and require administrators to connect through the VPN before accessing the web UI
• Segment vulnerable routers into an isolated network until patched, limiting blast radius if compromise occurs

# Example: restrict router web administration to a single management host
# (apply on an upstream firewall in front of the affected D-Link device)
iptables -A FORWARD -p tcp -s 192.0.2.10 -d <router_ip> --dport 80  -j ACCEPT
iptables -A FORWARD -p tcp -s 192.0.2.10 -d <router_ip> --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80  -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP