The root of the flaw lies in the routers’ missing access restrictions and missing input validation in the command parameter. Messner claims even unauthenticated users can target routers, trick them into landing on their own website and then execute malicious commands by injecting scripts.

“If you combine the plaintext credential vulnerability with the unauthenticated OS command injection vulnerability you will … extract the admin password from every vulnerable device,” Messner writes.

According to the blog entry, Messner first discovered the vulnerabilities at the tail end of 2012 and forwarded them to D-Link who insisted the issue was relegated to browsers and that the company would not publish a fix. Messner elected to provide more information to D-Link more than a week and a half ago, on January 25. Having still not heard back yet, Messner saw fit to publicly releasing the attack details earlier this week.