A vulnerability in D-Link DSL-2740B routers running firmware version EU_1.00, and possibly other versions, could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.
The vulnerability is due to improper validation of certain user-supplied HTTP requests by the affected software. An attacker could exploit the vulnerability by convincing an authenticated user to visit a malicious website. If successful, the attacker could conduct CSRF attacks and perform unauthorized actions on behalf of user who is logged in to the targeted device. Successful exploitation could allow the attacker to conduct further attacks.
Proof-of-concept code that exploits the vulnerability is publicly available.
D-Link has not confirmed this vulnerability and updates are not available.
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
For additional information about CSRF attacks and potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors