CVE-2024-45695: D-Link DIR-X4860 RCE Vulnerability

CVE-2024-45695 Overview

CVE-2024-45695 is a stack-based buffer overflow in the web service of certain D-Link wireless routers, including the DIR-X4860. Unauthenticated remote attackers can send crafted requests over the network to execute arbitrary code on the device. The flaw is tracked under [CWE-121] (Stack-based Buffer Overflow) and [CWE-787] (Out-of-bounds Write). Successful exploitation grants full control of the affected router, enabling traffic interception, lateral movement into the internal network, and persistence on the device firmware.

Critical Impact

Unauthenticated attackers can achieve remote code execution on affected D-Link DIR-X4860 routers with no user interaction, fully compromising the device and the network it serves.

Affected Products

• D-Link DIR-X4860 hardware revision A1
• D-Link DIR-X4860 firmware version 1.00
• D-Link DIR-X4860 firmware version 1.04

Discovery Timeline

• 2024-09-16 - CVE-2024-45695 published to the National Vulnerability Database (NVD)
• 2024-09-17 - Last updated in the NVD database

Technical Details for CVE-2024-45695

Vulnerability Analysis

The vulnerability resides in the HTTP web service exposed by the router's management interface. The service fails to validate the length of attacker-supplied input before copying it onto a fixed-size stack buffer. When an oversized value is supplied through a vulnerable request parameter, the write operation extends past the buffer boundary and overwrites adjacent stack memory, including the saved return address.

Because the web service runs with elevated privileges on the device and is reachable without authentication, an attacker who controls the return address can redirect execution to attacker-supplied shellcode or to existing code gadgets within the firmware. This yields arbitrary code execution as the web service process. The combination of remote network reachability, missing authentication, and full impact on confidentiality, integrity, and availability places this issue in the same risk class as other recent D-Link router takeover bugs.

Root Cause

The root cause is the absence of bounds checking on user-controlled data inside the router's web service. The function processing the request copies input into a stack-allocated buffer using an unsafe string operation, classifying the defect as [CWE-121] and [CWE-787]. No length validation or canonicalization is performed before the copy.

Attack Vector

Exploitation requires only network access to the router's web management interface. The attacker sends a single crafted HTTP request containing an oversized parameter. No credentials, tokens, or user interaction are required. Devices that expose the web interface to the WAN are remotely exploitable from the internet; LAN-only exposure still permits exploitation by any device on the same network, including a compromised endpoint or guest device.

No verified public proof-of-concept code is available. Technical specifics are described in the TWCERT advisories. See the TWCERT Security Advisory 8083 for additional context.

Detection Methods for CVE-2024-45695

Indicators of Compromise

• Unexpected HTTP POST requests to router management endpoints containing abnormally long parameter values or non-printable bytes.
• Web service crashes, restarts, or watchdog reboots in the router's system log shortly after inbound HTTP traffic.
• Outbound connections initiated by the router to unfamiliar IP addresses, indicating possible reverse shell or implant activity.
• New or modified firewall, DNS, or routing rules on the device that were not made by an administrator.

Detection Strategies

• Inspect network traffic to and from router management interfaces for HTTP requests with parameter lengths that exceed expected bounds.
• Correlate router syslog events with network telemetry to identify crash-and-restart patterns consistent with buffer overflow attempts.
• Alert on any management-plane access to consumer router IPs originating from the WAN side.

Monitoring Recommendations

• Forward router syslog data to a centralized logging or SIEM platform and create rules for repeated web service restarts.
• Monitor DNS queries from the router itself, since compromised routers commonly resolve attacker-controlled domains.
• Track baseline configuration of affected D-Link devices and alert on unauthorized changes to admin accounts, DNS settings, or port forwarding rules.

How to Mitigate CVE-2024-45695

Immediate Actions Required

• Disable remote (WAN-side) administration on the DIR-X4860 until a vendor patch is applied.
• Restrict access to the LAN web management interface to a dedicated management VLAN or trusted hosts only.
• Rotate the router administrator password and any Wi-Fi pre-shared keys after patching, in case the device was already compromised.
• Inventory affected D-Link DIR-X4860 units, including firmware versions 1.00 and 1.04, and prioritize them for remediation.

Patch Information

No fixed firmware version is referenced in the NVD entry at publication. Administrators should review the TWCERT Security Advisory 8083 and the TWCERT Security Advisory 8082 for vendor guidance, and consult the D-Link support portal for updated firmware for the DIR-X4860.

Workarounds

• Place the router behind an upstream firewall that blocks unsolicited inbound traffic to the management interface.
• Disable Universal Plug and Play (UPnP) and any cloud or remote management features that expose the web service externally.
• If a patch is unavailable and the device is internet-exposed, replace it with a supported model or isolate it on a segmented network.

# Configuration example: block inbound access to the router web UI from the WAN
# Run on an upstream firewall (example uses iptables syntax)
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 8080 -j DROP