D-Link DIR-X3260 SetTriggerPPPoEValidate Password Command Injection Remote Code Execution Vulnerability
CVE-2023-44423
8HIGH
What is CVE-2023-44423?
A command injection vulnerability exists in D-Link DIR-X3260 routers, allowing network-adjacent attackers to execute arbitrary code on vulnerable installations. This issue arises from insufficient validation of user input in the prog.cgi program, which processes HNAP requests on the lighttpd web server. Although authentication is typically required, attackers can bypass this mechanism to gain unauthorized access. Successful exploitation enables them to run code with root privileges, posing significant security risks to affected network environments.
Affected Version(s)
DIR-X3260 1.02B02