D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability

EIP-5a0f4b12 The D-Link DAP-1650 contains a command injection vulnerability in the ‘Callback’ parameter when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root. Vulnerability Identifier Exodus Intelligence: EIP-5a0f4b12 MITRE: CVE-2024-23625 Vulnerability Metrics CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C CVSSv2 Score: 8.3 Vendor References The affected product is end-of-life ... Read more D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability The post D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability appeared first on Exodus Intelligence .

EIP-5a0f4b12 The D-Link DAP-1650 contains a command injection vulnerability in the ‘Callback’ parameter when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root. Vulnerability Identifier Exodus Intelligence: EIP-5a0f4b12 MITRE: CVE-2024-23625 Vulnerability Metrics CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C CVSSv2 Score: 8.3 Vendor References The affected product is end-of-life ... Read more D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability The post D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability appeared first on Exodus Intelligence . EIP-5a0f4b12 The D-Link DAP-1650 contains a command injection vulnerability in the ‘Callback’ parameter when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root. Vulnerability Identifier Exodus Intelligence: EIP-5a0f4b12 MITRE: CVE-2024-23625 Vulnerability Metrics CVSSv2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C CVSSv2 Score: 8.3 Vendor References The affected product is end-of-life and no patches are available. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10266 Discovery Credit Exodus Intelligence Disclosure Timeline Disclosed to Vendor: December 14, 2021 Vendor response to disclosure: January 27, 2022 Disclosed to public: January 25, 2024 Further Information Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected] The post D-Link DAP-1650 SUBSCRIBE ‘Callback’ Command Injection Vulnerability appeared first on Exodus Intelligence .