CVE-2024-23625
Published: 26 January 2024
Summary
CVE-2024-23625 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dap-1650 Firmware. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages. The flaw, tracked as CVE-2024-23625 and assigned CWE-77, allows unauthenticated remote attackers to inject and execute arbitrary commands. It carries a CVSS 3.1 score of 9.6 with an attack vector of adjacent network, low complexity, and no required privileges or user interaction, resulting in complete confidentiality, integrity, and availability impact with scope change.
An attacker positioned on the same network segment as an affected DAP-1650 device can send a crafted UPnP SUBSCRIBE message that triggers the injection. Successful exploitation grants command execution on the device with root privileges, enabling full control over the router's configuration, traffic, and connected clients.
The EPSS score for this CVE has remained flat at 0.1001 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21119
Vulnerability details
A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.