Search
On this page ▾
CVE-2014-100005 — D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability

CVE-2014-100005

D-Link DIR-600 — No-Auth CSRF Allows Hijacking Admin Session to Change DNS, Firewall Rules, and Router Configuration
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

The D-Link DIR-600 is a consumer and small business wireless router sold from approximately 2009 through the mid-2010s. Like most consumer routers of this era, it provides NAT, DHCP, wireless AP, and a web-based administration interface. The DIR-600 was widely deployed in homes and small offices, and — critically — was never designed with enterprise security requirements in mind. D-Link declared the DIR-600 end-of-life with no further firmware updates available.

Consumer routers are high-value targets for attackers: they sit at the network perimeter of homes and small businesses, handle all DNS resolution for connected devices, and often remain in service for a decade or more without security updates — making legacy router vulnerabilities a persistent attack surface.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 16, 2024. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-100005 is a cross-site request forgery (CSRF) vulnerability in the D-Link DIR-600 router's web administration interface. The router does not implement CSRF tokens or other request validation mechanisms on its management endpoints. An attacker can craft a malicious web page that, when visited by a user who is authenticated to the router's admin interface (e.g., a user who has logged into the router recently), automatically sends unauthorized requests to the router — changing its DNS configuration, adding port forwarding rules, modifying firewall settings, or changing the admin password.

Affected Versions

D-Link DIR-600 Status
All hardware revisions (A1, B1, B2, B3, B5) Vulnerable — no patch

No patch is available. The product is end-of-life and must be replaced.

Technical Details

Root Cause: Missing CSRF Tokens in Router Admin Interface

CSRF attacks exploit the browser's automatic inclusion of authentication cookies on all requests to a domain. The D-Link DIR-600's admin interface authenticates via a session cookie stored in the browser after login. The management HTTP endpoints do not validate that incoming requests contain a secret CSRF token known only to the legitimate admin interface — meaning any request with the right URL and parameters is accepted if the session cookie is present.

Attack flow:

  1. Router administrator logs into http://192.168.0.1/ and authenticates (browser stores session cookie)
  2. Attacker tricks the admin into visiting a malicious web page (via phishing email, malicious ad, or compromised website)
  3. The malicious page contains hidden HTML/JavaScript that automatically sends HTTP requests to http://192.168.0.1/
  4. The browser automatically attaches the admin session cookie to these requests
  5. The router processes the requests as legitimate admin actions — changing DNS, adding port forwarding, changing password, etc.
  6. The attacker now controls the router's configuration

Attack Scenarios

Attack Method Impact
DNS hijacking Change DNS servers to attacker-controlled IPs All domain lookups for connected devices resolve to attacker's servers → MitM, phishing
Port forwarding Add rules exposing internal services Expose cameras, NAS, printers to internet
Admin password change Override admin credentials Lock out legitimate admin; persistent router control
Remote management Enable WAN-side admin access Allow direct remote exploitation from internet

Attack Characteristics

Attribute Detail
Attack Vector Network — requires social engineering (user visits malicious page)
Authentication Required for Attacker None
Session Required Router admin session must be active in victim's browser
CWE CWE-352: Cross-Site Request Forgery

Discovery

CSRF vulnerabilities in D-Link DIR-600 were documented by independent security researchers and published on security forums and Exploit-DB in late 2014. The CVE ID format CVE-2014-100005 reflects a non-standard assignment process used for some consumer hardware vulnerabilities.

Exploitation Context

  • Persistent exploitation (2024 KEV): Added to CISA KEV in May 2024 — a decade after discovery — confirming that large numbers of DIR-600 routers remain in service and are actively exploited
  • Botnet incorporation: Consumer routers with CSRF and command injection vulnerabilities have been systematically incorporated into botnets (Mirai variants and successors) for DDoS-for-hire services
  • DNS hijacking campaigns: Threat actors have repeatedly targeted home/SMB routers to hijack DNS, redirect users to credential-harvesting sites, and intercept traffic — CSRF is one of the primary mechanisms used
  • No patch available: The DIR-600 is end-of-life with no firmware updates; the only fix is device replacement
  • Scale: Large numbers of legacy D-Link routers remain in service globally due to low replacement rates in residential and small business environments

Remediation

CISA BOD 22-01 Deadline: June 6, 2024. D-Link DIR-600 is end-of-life with no patch available. Replace the device immediately.

  1. Replace the router with a currently supported model from any vendor. This is the only complete remediation. D-Link DIR-600 will never receive a security patch.

  2. In the interim (if immediate replacement is not possible):

    • Disable web administration over the LAN when not actively needed (most routers allow toggling the admin interface)
    • Never use the router admin interface from a browser that also visits untrusted websites in the same session
    • Use a dedicated device (or separate browser profile) for router administration

  3. Check DNS settings after replacement to ensure they have not been changed to attacker-controlled servers. Compare configured DNS against your ISP's expected DNS IPs.

  4. Audit port forwarding rules for unauthorized entries — attackers may have added rules exposing internal services before replacement.

  5. Change all network passwords (Wi-Fi PSK, other device credentials) after replacement, as DNS hijacking may have exposed credentials over time.

Key Details

PropertyValue
CVE ID CVE-2014-100005
Vendor / Product D-Link — DIR-600 Router
NVD Published2015-01-13
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-352 — Cross-Site Request Forgery (CSRF) find similar ↗
CISA KEV Added2024-05-16
CISA KEV Deadline2024-06-06
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-06-06. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Timeline

DateEvent
2014-12-01CSRF vulnerability in D-Link DIR-600 documented by security researchers
2015-01-13CVE-2014-100005 published (unusual CVE ID format indicates assignment process)
2024-05-16Added to CISA Known Exploited Vulnerabilities catalog
2024-06-06CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-100005 Vulnerability Database
CISA KEV Catalog Entry US Government
D-Link DIR-600 Product Page (Legacy) Vendor Advisory
Exploit-DB — D-Link DIR-600 CSRF Exploit (2014) Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML