CVE-2023-44693
Published: 17 October 2023
Summary
CVE-2023-44693 is a critical-severity SQL Injection (CWE-89) vulnerability in Dlink Dar-7000 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
D-Link Online behavior audit gateway DAR-7000 version V31R02B1413C contains a SQL injection vulnerability (CWE-89) in the /importexport.php endpoint. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack complexity that is low, requires no authentication or user interaction, and can impact confidentiality, integrity, and availability at the highest level.
An unauthenticated remote attacker can supply crafted input to the affected endpoint and execute arbitrary SQL commands against the backend database. Successful exploitation grants the ability to read, modify, or delete data and potentially take full control of the device.
Public references consist of proof-of-concept details hosted on GitHub that demonstrate the injection vector; no vendor advisory or patch information is included in the available references. The associated EPSS score reached a peak of 0.1058 on 2025-12-11 before receding to its current value of 0.0836.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49027
Vulnerability details
D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /importexport.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.