Cyber Resilience

CVE-2023-32166

High

Published: 03 May 2024

Published
03 May 2024
Modified
07 August 2025
KEV Added
Patch
CVSS Score v3 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.2740 96.5th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32166 is a high-severity Path Traversal (CWE-22) vulnerability in Dlink D-View 8. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

D-Link D-View contains a directory traversal vulnerability in the uploadFile function that permits authenticated remote attackers to create arbitrary files on the server. The flaw stems from insufficient validation of user-supplied paths before they are used in file operations, allowing writes in the context of the SYSTEM account. The issue was originally reported as ZDI-CAN-19527 and carries a CVSS 3.0 score of 8.1.

An attacker who already possesses valid credentials can supply a crafted path to uploadFile and place files anywhere on the affected system. Successful exploitation grants the ability to write attacker-controlled content with high-integrity and high-availability impact, though no confidentiality impact is indicated.

D-Link has published advisory SAP10332 and the Zero Day Initiative has released ZDI-23-717, both of which address the issue and point to available updates or mitigations for D-View installations.

EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.4365 (current value 0.2740), indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

D-Link D-View uploadFile Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability. The specific flaw exists within the uploadFile function. The…

more

issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of SYSTEM. Was ZDI-CAN-19527.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
d-view 8
≤ 2.0.1.27

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References