D-Link DAP-1650 SUBSCRIBE Callback Command Injection Vulnerability
CVE-2024-23625
9.6CRITICAL
What is CVE-2024-23625?
A command injection vulnerability has been identified in D-Link DAP-1650 devices, specifically related to the processing of UPnP SUBSCRIBE messages. This flaw allows unauthenticated attackers to execute arbitrary commands with root privileges, posing a significant security risk. Exploitation of this vulnerability could lead to unauthorized control over the affected devices, highlighting the importance of securing UPnP implementations and monitoring for anomalous activities.
Affected Version(s)
DAP-1650 0 <= 1.04B01
References
EPSS Score
7% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Exodus Intelligence