Critical Vulnerabilities in D-Link Products

Published on 26 May 2023

D-Link has released security updates to address two critical vulnerabilities (CVE-2023-32165 and CVE-2023-32169) in its D-View 8 network management suite. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerabilities are:

  • CVE-2023-32165: A remote code execution vulnerability that may allow an unauthenticated, remote attacker to execute code with SYSTEM privileges. This allows the code to run with the highest privileges in Windows, potentially allowing complete system takeover.
  • CVE-2023-32169: An authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software.  It could enable an unauthenticated attacker to execute privilege escalation, access information, change configurations and settings, and even install backdoors and malware.

The vulnerabilities affect D-View 8 network management suite versions prior to 2.0.1.27, inclusive.

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:
https://www.bleepingcomputer.com/news/security/d-link-fixes-auth-bypass-and-rce-flaws-in-d-view-8-software/
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332
Tags
Alerts Alerts & Advisories
Share