Taiwanese networking hardware maker D-Link on Monday announced patches for multiple critical-severity vulnerabilities that could lead to remote code execution.

Two of the critical flaws, tracked as CVE-2024-45694 and CVE-2024-45695 (CVSS score of 9.8), are described as stack-based buffer overflow issues in the web service of several wireless routers.

Both security defects, D-Link notes in its advisory, can be exploited by remote, unauthenticated attackers to execute arbitrary code on the affected devices.

Another critical bug, tracked as CVE-2024-45697 (CVSS score of 9.8), may allow remote attackers to log in to vulnerable routers and execute system commands using hardcoded credentials.

“Certain D-Link wireless router models have hidden functionality: the telnet service is enabled when the WAN port is plugged in,” D-Link explains.

The manufacturer also released fixes for CVE-2024-45696, a high-severity vulnerability that could allow attackers to enable the telnet service and use hardcoded credentials to log in to the device.

“The attacker can forcibly enable the telnet service and log in using hard-coded credentials by sending specific packets to the web service. The telnet service enabled through this method can only be accessed from within the same local network as the device,” D-Link explains.

Another high-severity issue that D-Link has resolved exists because user input is not properly validated in the telnet service of certain wireless router models. The flaw is tracked as CVE-2024-45698.

“This allows unauthenticated, remote attackers to use hard-coded credentials to log into the telnet and inject arbitrary OS commands, which can then be executed on the device,” the manufacturer explains.

The five bugs impact D-Link’s COVR-X1870, DIR-X5460, and DIR-X4860 wireless routers. Firmware upgrades that resolve the security defects were released on September 13, the company says.

D-Link also revealed that the issues were reported to it via TWCERT (the Taiwan Computer Emergency Response Team/Coordination Center) on June 8, and that the reporter published information on the bugs before the company could release patches.

“The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer,” D-Link said.

Related: Cisco Patches High-Severity Vulnerabilities in Network Operating System

Related: Apache Makes Another Attempt at Patching Exploited RCE in OFBiz

Related: GitLab Security Update Patches Critical Vulnerability

Related: Nvidia Patches Many Vulnerabilities in Windows, Linux Display Drivers