Command Injection Vulnerability in Device Firmware Update Interface
CVE-2023-0127

7.8HIGH

Key Information:

Vendor: D-Link
Status: D-Link DWL-2600AP with firmware v4.2.0.17
Vendor: CVE Published:; 11 February 2023

Summary

A command injection flaw exists in the firmware_update command within the restricted telnet interface of the affected devices. This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges, potentially compromising the security and integrity of the device. Operators of these devices should monitor for exploit attempts and apply security patches provided by the vendor.

Affected Version(s)

D-Link DWL-2600AP with firmware v4.2.0.17 DWL-2600AP with firmware version v.4.2.0.17

References

https://www.tenable.com/security/research/tra-2023-1

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2023
Vulnerability Reserved
Jan 9, 2023