CVE-2023-45574
Published: 16 October 2023
Summary
CVE-2023-45574 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Dlink Di-7003G Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-45574 is a buffer overflow vulnerability, tracked under CWE-787, that affects multiple D-Link router models including DI-7003GV2.D1 versions up to 23.08.25D1, DI-7100G+V2.D1 and DI-7100GV2.D1 up to 23.08.23D1, DI-7200G+V2.D1 and DI-7200GV2.E1 up to 23.08.23E1 or 23.08.23D1, and DI-7300G+V2.D1 plus DI-7400G+V2.D1 up to 23.08.23D1. The flaw resides in the fn parameter of the file.data function and carries a CVSS 3.1 score of 9.8.
A remote attacker with no authentication or user interaction required can send a crafted request to the affected device over the network, triggering the overflow to execute arbitrary code with full control over the device.
D-Link has published a security bulletin addressing the affected DI-7xxx series devices, available on its official security page.
The EPSS score for this CVE stands at 0.23 with no material increase from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49866
Vulnerability details
Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via…
more
the fn parameter of the file.data function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.