Cyber Resilience

CVE-2024-7828

HighPublic PoC

Published: 15 August 2024

Published
15 August 2024
Modified
19 August 2024
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4227 97.5th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7828 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Dlink Dns-120 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-7828 is a buffer overflow vulnerability in the cgi_set_cover function within the /cgi-bin/photocenter_mgr.cgi file of multiple end-of-life D-Link NAS products, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04. The flaw is triggered by manipulation of the album_name argument and was assigned CWE-120; it carries a CVSS 4.0 score of 8.7 reflecting network-accessible, low-complexity exploitation that can result in high impact to confidentiality, integrity, and availability. The issue affects only unsupported devices whose maintainer confirmed end-of-life status prior to disclosure on 15 August 2024.

An authenticated remote attacker can supply a crafted album_name value to the affected CGI endpoint and trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service on the device. Public exploit code has been released, confirming the attack can be initiated over the network without user interaction.

D-Link’s security advisory SAP10383 states that the listed products are no longer supported, recommends immediate retirement and replacement, and provides no patches or workarounds. The GitHub disclosure and VulDB entries similarly note the absence of vendor fixes due to the end-of-life status.

The associated EPSS score has remained flat at 0.4227 since publication, indicating moderate but stable exploitation interest without a post-disclosure rise.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability…

more

affects the function cgi_set_cover of the file /cgi-bin/photocenter_mgr.cgi. The manipulation of the argument album_name leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Buffer overflow in web CGI endpoint (/cgi-bin/photocenter_mgr.cgi) enables remote exploitation of public-facing application (T1190). Improper handling via sprintf and system() call facilitates arbitrary Unix shell command execution (T1059.004).

Affected Assets

dlink
dns-120 firmware
all versions
dlink
dnr-202l firmware
all versions
dlink
dns-315l firmware
all versions
dlink
dns-320 firmware
all versions
dlink
dns-320l firmware
all versions
dlink
dns-320lw firmware
all versions
dlink
dns-321 firmware
all versions
dlink
dnr-322l firmware
all versions
dlink
dns-323 firmware
all versions
dlink
dns-325 firmware
all versions
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References