FOUNTAIN VALLEY, Calif., Oct. 15 (UPI) -- Network router maker D-Link says it will fix a security issue that could let attackers change a router's settings without requiring a username and password.
D-Link said the patch should be available by the end of the month, PC world reported Tuesday.
The security vulnerability is a backdoor-type function built into the firmware of some D-Link routers that could be used to bypass the normal authentication procedure on their Web-based user interfaces, the company said.
A vulnerability researcher with Tactical Network Solutions uncovered the issue.
"If your browser's user agent string is 'xmlset_roodkcableoj28840ybtide' (no quotes), you can access the web interface without any authentication and view/change the device settings," Craig Heffner wrote Saturday in a blog post.
The last part of this hard-coded value, when read in reverse, reads "edit by 04882 joel backdoor."
D-Link said it would release firmware updates to address the vulnerability in affected routers.
"Owners of affected devices can minimize any potential risk by ensuring that their router has the Wi-Fi password enabled and that remote access is disabled," the company said.
The company did not address why the backdoor was included in the firmware in the first place, PC World reported.
