EIP-13d90c2b
The D-Link DAP-1650 contains a command injection vulnerability in the gena.cgi module when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.
Vulnerability Identifier
Exodus Intelligence: EIP-13d90c2b
MITRE: CVE-2024-23624
Vulnerability Metrics
CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSSv2 Score: 8.3
Vendor References
The affected product is end-of-life and no patches are available.
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10266
Discovery Credit
Exodus Intelligence
Disclosure Timeline
Disclosed to Vendor: December 14, 2021
Vendor response to disclosure: January 27, 2022Disclosed to public: January 25, 2024
Further Information
Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected]
The post D-Link DAP-1650 gena.cgi SUBSCRIBE Command Injection Vulnerability appeared first on Exodus Intelligence.
Support the originator by clicking the read the rest link below.