CVE-2024-51151
Published: 21 November 2024
Summary
CVE-2024-51151 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Di-8200 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
D-Link DI-8200 firmware version 16.07.26A1 is affected by a remote command execution vulnerability in the msp_info_htm function. The flaw is reachable through the flag and cmd parameters and is tracked under CWE-77 and CWE-78, receiving a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with full impact on confidentiality, integrity, and availability.
An attacker with network connectivity can submit malicious values for the affected parameters to execute arbitrary operating-system commands on the device without authentication or user interaction, resulting in complete device compromise.
A technical report containing further details and reproduction information has been published at the referenced GitHub location. The EPSS score for this CVE is currently 0.4327, matching its observed peak with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45563
Vulnerability details
D-Link DI-8200 16.07.26A1 is vulnerable to remote command execution in the msp_info_htm function via the flag parameter and cmd parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote command execution via unsanitized web parameters (flag and cmd) in the msp_info_htm function on a network device web interface, facilitating exploitation of public-facing applications, remote services, and network device CLI abuse.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.