Support Announcements
DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 - Multiple Vulneribilities - Command Injection and Information Disclosure.




The DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456U / DIR-110 have multiple vulnerabilities that allow a malicious attacker to run device operating system commands if authenticated or discover information about the device which may help further exploits to be identified and used.


D-Link Security Incident Reponse Policy


All public communication on this issue will be offered at :

Our security response team can be contacted for incident information or to report incidents at

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.




Author : Michael Messnerr -  Advisiory -



General Disclosure


Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.


Immediate Generai Recommendations for all D-Link router customers


  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.




Please read the details from the author at:


Details are left to  the authors original disclosure to avoid miscommunication and duplicaation of work and ownership. We offer the following as a summary pulled from the authors linked document.


These device are reported to have many vulnerabilities in its web configuration pages:


- OS Command Injection - The vulnerability is caused by missing input validation in the dst parameter and missing session validation and can be exploited to inject and execute arbitrary shell commands.


- Information Disclosure - The internal web-server reports server banner to detect type of device.


- Information Disclosure - Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network. Located at : http://<IP address of device>/version.txt or http://<IP address of device>/DevInfo.txt


Affected Products



Model Name

HW Version

Current FW Version

New FW Version for this exploit fix


Rev. Ax

Ver. 1.01 and Older

Please Contact Local Regional D-Link Office for help. This is a non-US device.


Rev. Bx Ver. 2.14b01 and Older Ver. 2.15b01


Rev. Ax Ver. 1.14WWB02 and Older For devices purchased in US please contact DUS customer care: 1 (877) 453-5465


Rev. Ax Ver 1.00ONG and Older Ver: 1.02b06
DIR-600 Rev. Bx Ver. 2.16b01 and Older Ver. 2.17b02
DIR-645 Rev. Ax Ver. 1.03 and Older Ver. 1.04b11
DIR-815 Rev. Ax Ver. 1.03b02 and Older Ver. 1.04b02


Security patch for your D-Link router


These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates.


As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.


To update the firmware please log-in to the Web-GUI interface of your device, from the menu select Maintanence -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options.