CVE-2023-45208

moderate-risk
Published 2023-10-10

A command injection in the parsing_xml_stasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers (within range of the repeater) to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names containing single quotes (in the range of the repeater) can result in a denial of service.

Do I need to act?

~
1.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Dlink

References (2)

Exploit https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860...
Exploit https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860...
40
/ 100
moderate-risk
Severity 27/34 · High
Exploitability 4/34 · Minimal
Exposure 9/34 · Low