D-Link DAP-1650 gena.cgi SUBSCRIBE Command Injection Vulnerability

Jan 26, 2024 12:00 am Technology 405











EIP-13d90c2b


The D-Link DAP-1650 contains a command injection vulnerability in the gena.cgi module when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.


Vulnerability Identifier


Exodus Intelligence: EIP-13d90c2b
MITRE: CVE-2024-23624

Vulnerability Metrics


CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSSv2 Score: 8.3

Vendor References


The affected product is end-of-life and no patches are available.
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10266

Discovery Credit


Exodus Intelligence

Disclosure Timeline


Disclosed to Vendor: December 14, 2021
Vendor response to disclosure: January 27, 2022Disclosed to public: January 25, 2024

Further Information


Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected]












The post D-Link DAP-1650 gena.cgi SUBSCRIBE Command Injection Vulnerability appeared first on Exodus Intelligence.



Support the originator by clicking the read the rest link below.
subscribe command injection vulnerability
Read The Rest from the original source
blog.exodusintel.com

Related News

Be in Touch

All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
Powered By The Internet!!!!