Cyber Resilience

CVE-2023-45574

CriticalPublic PoC

Published: 16 October 2023

Published
16 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2300 96.0th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45574 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Dlink Di-7003G Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-45574 is a buffer overflow vulnerability, tracked under CWE-787, that affects multiple D-Link router models including DI-7003GV2.D1 versions up to 23.08.25D1, DI-7100G+V2.D1 and DI-7100GV2.D1 up to 23.08.23D1, DI-7200G+V2.D1 and DI-7200GV2.E1 up to 23.08.23E1 or 23.08.23D1, and DI-7300G+V2.D1 plus DI-7400G+V2.D1 up to 23.08.23D1. The flaw resides in the fn parameter of the file.data function and carries a CVSS 3.1 score of 9.8.

A remote attacker with no authentication or user interaction required can send a crafted request to the affected device over the network, triggering the overflow to execute arbitrary code with full control over the device.

D-Link has published a security bulletin addressing the affected DI-7xxx series devices, available on its official security page.

The EPSS score for this CVE stands at 0.23 with no material increase from a lower baseline after disclosure.

EU & UK References

Vulnerability details

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via…

more

the fn parameter of the file.data function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
di-7003g firmware
≤ 23.08.25d1
dlink
di-7100g\+ firmware
≤ 23.08.23d1
dlink
di-7100g firmware
≤ 23.08.23d1
dlink
di-7200g\+ firmware
≤ 23.08.23d1
dlink
di-7200g firmware
≤ 23.08.23e1
dlink
di-7300g\+ firmware
≤ 23.08.23d1
dlink
di-7400g\+ firmware
≤ 23.08.23d1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References