A vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device. The bug affects routers running firmware version 3.17 or below. D-Link has released a hotfix, the latest firmware version mitigating the problem is 3B401C. The vulnerability is a root command injection that can be exploited remotely if the device’s “Unified Services Router”” web interface is reachable over the public internet. An attacker can slip malicious data into a command designed to calculate a hash that is processed by the “”os.popen()”” function.”
Source: https://www.bleepingcomputer.com/news/security/d-link-vpn-routers-get-patch-for-remote-command-injection-bugs/