Support Announcements
DGS-1250 :: FW v1.00.040 & v1.x Below / v2.01.006 & v2.x Below :: HTTP header injection vulnerability to Configuration Disclosure


On December 18, 2019, D-Link US became aware by 3rd party accusing the DGS-1250 series of being susceptible to a HTTP header injection vulnerability enabling an attacker to reveal the switch configuration.

This security-related issue is verified, and firmware patches to correct the issue are under development

3rd Party Report information

          - Harry Sintonen, harry.sintonen _at_ f-secure _dot_ com

            Senior Security Consultant, Cyber Security Products & Services F-Secure Corp.

          - Public Disclosure :





Once a firmware correction is issued, we will update this announcement, and recommend to update the firmware. 


Before and after the patch is available we do recommend the following:


  1. This infrastructure switch should never have its management interface accessible to the internet.
  2. The web-management of these infrastructure devices itself should be configured IP sub-network that is blocked/filtered/VLAN from communicating with the Internet IP sub-network.
  3. Do not leave the default password, always update the password to be complex (Alpha-numeric minimum) and unique.
  4. Once configured to your environment, please keep off-line back-ups of the device's configuration.
  5. Set a maintenance schedule to updated passwords and check for the latest firmware with no less than 90-day frequency.