Cyber Resilience

CVE-2024-8132

MediumPublic PoC

Published: 24 August 2024

Published
24 August 2024
Modified
27 August 2024
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2253 96.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8132 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dns-1550-04 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A command injection vulnerability exists in the webdav_mgr function within the /cgi-bin/webdav_mgr.cgi file of the HTTP POST Request Handler on multiple D-Link NAS products, including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to 20240814. The issue stems from improper handling of the f_path argument and is tracked under CWE-77 and CWE-78. All listed devices have reached end-of-life status and receive no further support.

An authenticated remote attacker can supply a crafted f_path value in an HTTP POST request to the affected endpoint, resulting in arbitrary command execution on the device. Public exploit code has been released, enabling potential unauthorized access or manipulation of files and services on the NAS.

D-Link's security advisory SAP10383 and direct vendor communication confirm the products are end-of-life, explicitly advising users to retire and replace the hardware rather than apply mitigations or firmware updates. The associated EPSS score has remained near 0.23 with only minimal fluctuation since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function…

more

webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dns-1550-04 firmware
all versions
dlink
dns-1200-05 firmware
all versions
dlink
dns-1100-4 firmware
all versions
dlink
dns-726-4 firmware
all versions
dlink
dns-345 firmware
all versions
dlink
dns-343 firmware
all versions
dlink
dns-340l firmware
all versions
dlink
dnr-326 firmware
all versions
dlink
dns-327l firmware
all versions
dlink
dns-326 firmware
all versions
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References