Unauthenticated attackers could execute arbitrary commands with root privileges.
DSR-150, DSR-250, DSR-500, DSR-1000AC
Firmware versions v3.17 and earlier
D-Link VPN Routers using the Unified Services Router web interface exhibit multiple flaws which could allow a remote attacker to execute arbitrary commands with root privileges.
The first issue is accessible without authentication requiring only the web interface be available to execute arbitrary code via a lua library that passes user-supplied data to a call as part of a command to calculate a hash.
The second issue requires authentication and exploits the Package Management form in the web interface which lacks server-side filtering for multi-part POST payloads.
On the third issue, D-Link acknowledges as intended device functionality.