CVE-2023-33782
Published: 07 June 2023
Summary
CVE-2023-33782 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-842V2 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
D-Link DIR-842V2 firmware version 1.0.3 contains a command injection vulnerability in its iperf3 diagnostics function. The flaw is tracked as CVE-2023-33782, carries a CVSS 3.1 score of 8.8, and is categorized under CWE-77. It allows an attacker to supply crafted input that is executed directly by the underlying operating system.
An authenticated user with network access can trigger the flaw without user interaction, resulting in arbitrary command execution on the device. Successful exploitation grants the attacker the ability to read, modify, or delete data and to disrupt device operation, consistent with the high impact ratings across confidentiality, integrity, and availability.
Public references point to a D-Link security bulletin page and a proof-of-concept repository that demonstrates the issue. No specific patch version or mitigation steps are detailed in the supplied references. The associated EPSS score currently stands at 0.5194 with a recorded peak of 0.5221, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37933
Vulnerability details
D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.