D-Link DNS products vulnerable to command injection via /cgi-bin/hd_config.cgi
CVE-2024-8212

9.8CRITICAL

Key Information:

Vendor: D-link
Status: Dns-120; Dnr-202l; Dns-315l; Dns-320
Vendor: CVE Published:; 27 August 2024

Badges

👾 Exploit Exists

What is CVE-2024-8212?

A vulnerability has been identified in several D-Link DNS series Network Attached Storage products, specifically affecting the function cgi_FMT_R12R5_2nd_DiskMGR located in the /cgi-bin/hd_config.cgi file. The vulnerability arises from improper handling of the f_source_dev parameter, leading to potential command injection attacks. This issue can be exploited remotely, allowing attackers to execute unauthorized commands on affected devices. Notably, all products impacted by this vulnerability are no longer supported by the vendor, emphasizing the need for users to retire and replace these devices to mitigate risk.

Affected Version(s)

DNR-202L 20240814

DNR-322L 20240814

DNR-326 20240814

References

https://vuldb.com/?id.275921

vdb-entrytechnical-description

https://vuldb.com/?ctiid.275921

signaturepermissions-required

https://vuldb.com/?submit.397276

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Aug 27, 2024
Vulnerability published
Aug 27, 2024
Vulnerability Reserved
Aug 27, 2024

Credit

BuaaIoTTeam (VulDB User)

D-link

Badges

What is CVE-2024-8212?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit