Remote Code Execution Vulnerability in D-Link DIR-X3260 Routers
CVE-2023-44419

8.8HIGH

Key Information:

Vendor: D-link
Status: Dir-x3260
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability exists in D-Link DIR-X3260 routers, originating from a flaw in the prog.cgi binary, which is responsible for processing HNAP requests on the lighttpd webserver. This flaw arises due to inadequate verification of the length of user-supplied input before it is copied to a fixed-length stack-based buffer. As a result, network-adjacent malicious actors can exploit this vulnerability to achieve remote code execution, gaining control over affected systems without the need for authentication. Users of these routers should be aware of this risk and ensure that their systems are updated with the latest security patches.

Affected Version(s)

DIR-X3260 1.02B02

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1517/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 28, 2023