CVE-2011-4723

What is the D-Link DIR-300?

The D-Link DIR-300 is a consumer-grade 802.11g wireless router sold primarily in the early 2010s for home and small office use. Like most SOHO routers of its era, it provides NAT routing, DHCP, wireless access point, and a web-based administration interface. Consumer routers have historically had poor security track records — default credentials, unpatched firmware, and cleartext credential storage were common across the industry during this period.

Overview

CVE-2011-4723 is a cleartext password storage vulnerability (CWE-310) in the D-Link DIR-300 router. The device stores the administrator password in plaintext within its configuration, where it can be retrieved by any user on the adjacent network who has any level of authenticated access. An attacker who obtains the admin password gains full control of the router — enabling DNS hijacking, traffic interception, firewall rule modification, and use of the device as a pivot point for attacks on the local network.

No vendor patch was ever released; D-Link classified the DIR-300 as end-of-life.

Affected Versions

Technical Details

The DIR-300 stores the admin password in its configuration in cleartext — unencrypted, directly readable from the configuration backup or via certain web interface endpoints. The CVSS vector (Adjacent Network, Low Privileges Required) reflects that:

• The attacker must be on the same LAN or WLAN segment as the router (adjacent network)
• Some level of authenticated access (e.g., a guest account or any low-privilege credentials) is required to access the configuration data

Once obtained, the admin password enables:

• Full router configuration changes (port forwarding, firewall rules, DMZ settings)
• DNS server modification — redirecting all DNS queries to attacker-controlled resolvers enables phishing and MITM attacks against every device on the network
• Wireless password retrieval — enabling further network access
• Firmware replacement with malicious firmware

Discovery

The vulnerability was disclosed in December 2011 by security researchers examining the DIR-300's configuration storage. The public disclosure did not result in a vendor patch, as D-Link had already discontinued active development for the DIR-300 product line.

Exploitation Context

SOHO router vulnerabilities like CVE-2011-4723 have been systematically exploited by Mirai and successor botnets, which scan for routers with known default or recoverable credentials and incorporate them into DDoS infrastructure. The DIR-300 specifically appeared in multiple Mirai variant target lists due to its known cleartext credential storage and default credential patterns.

Beyond botnets, these vulnerabilities enable persistent, stealthy compromise: a router takeover typically goes undetected by endpoint security tools (which monitor devices, not network infrastructure), allowing sustained DNS manipulation and traffic interception against all connected devices.

Remediation

The D-Link DIR-300 is end-of-life with no available patch. CISA's required action is to disconnect and replace the device:

1. Replace the DIR-300 immediately with a supported router that receives active firmware updates
2. When selecting a replacement, choose a device with active vendor support and automatic firmware update capability
3. Change all default credentials on the replacement device before deployment
4. Audit the local network for signs of prior compromise: unexpected DNS server settings, unusual port forwarding rules, or unknown devices on the network
5. If the DIR-300 cannot be immediately replaced, isolate it from all sensitive traffic and restrict LAN access to only the management interface via a dedicated management VLAN