CVE-2024-45698

Published: Sep 16, 2024Modified: Oct 15, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD (Secondary)

Description

Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device.

Affected (2)

Products: Dlink: Dir X4860 Firmware

1 product

Dir X4860 Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dir X4860 Firmware	Version 1.00
Dlink Dir X4860 Firmware	Version 1.04

Running on/with	Platform Versions
Dlink Dir X4860	Version a1

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-8090-bf06b-1.html

Source: twcert@cert.org.tw

Third Party Advisory

Timeline

No history available yet.