D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices.

The flaw was discovered and reported to D-Link by security researcher ‘delsploit,’ but technical details have been withheld from the public to avoid triggering mass exploitation attempts in the wild.

The vulnerability, which does not have a CVE assigned to it yet, impacts all hardware and firmware revisions of DSR-150 and DSR-150N, and also DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C.

These VPN routers, popular in home office and small business settings, were sold internationally and reached their end of service on May 1, 2024.

D-Link has made it clear in the advisory that they will not be releasing a security update for the four models, recommending customers replace devices as soon as possible.

“The DSR-150 / DSR-150N / DSR-250 / DSR-250N all hardware versions and firmware versions have been EOL/EOS as of 05/01/2024. This exploit affects this legacy D-Link router and all hardware revisions, which have reached their End of Life […]. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link US.” – D-Link

The vendor also notes that third-party open-firmware may exist for those devices, but this is a practice that’s not officially supported or recommended, and using such software voids any warranty that covers the product.

“D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it,” reads the bulletin.

“If US consumers continue to use these devices against D-Link’s recommendation, please make sure the device has the last known firmware which can be located on the Legacy Website.”

Users may download the most current firmware for these devices from here: 

It should be noted that even using the latest available firmware version does not protect the device from the remote code execution flaw discovered by delsploit, and no patch will be officially released for it.

D-Link’s response aligns with the networking hardware vendor’s strategy not to make exceptions for EoL devices when critical flaws are discovered, no matter how many people are still using these devices.

“From time to time, D-Link will decide that some of its products have reached End of Support (“EOS”) / End of Life (“EOL”),” explains D-Link.

“D-Link may choose to EOS/EOL a product due to evolution of technology, market demands,  new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.”

Earlier this month, security researcher ‘Netsecfish’ disclosed details about CVE-2024-10914, a critical command injection flaw impacting thousands of EoL D-Link NAS devices.

The vendor issued a warning but not a security update, and last week, threat monitoring service The Shadowserver Foundation reported seeing active exploitation attempts.

Also last week, security researcher Chaio-Lin Yu (Steven Meow) and Taiwan’s computer and response center (TWCERTCC) disclosed three dangerous vulnerabilities, CVE-2024-11068, CVE-2024-11067, and CVE-2024-11066, impacting the EoL D-Link DSL6740C modem.

Despite internet scans returning tens of thousands of exposed endpoints, D-Link decided not to address the risk.