D Link D Link

Do you want an email whenever new security vulnerabilities are reported in any D Link product?

Products by D Link Sorted by Most Security Vulnerabilities since 2018

D Link Central Wifimanager6 vulnerabilities

D Link Di 7842 vulnerabilities

D Link Di 5241 vulnerability

D Link Di 6141 vulnerability

D Link Di 704p1 vulnerability

D Link Dvg N5412sp1 vulnerability

D Link Mydlink1 vulnerability

Known Exploited D Link Vulnerabilities

The following D Link vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
D-Link DSL-2750B Devices Command Injection Vulnerability D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter. CVE-2016-20017 January 8, 2024
D-Link DIR-859 Router Command Execution Vulnerability D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi. Exploitation allows an unauthenticated remote attacker to execute system commands as root by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. CVE-2019-17621 June 29, 2023
D-Link DWL-2600AP Access Point Command Injection Vulnerability D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. CVE-2019-20500 June 29, 2023
D-Link DIR-816L Remote Code Execution Vulnerability D-Link DIR-816L contains an unspecified vulnerability in the shareport.php value parameter which allows for remote code execution. CVE-2022-28958 September 8, 2022
D-Link DIR-820L Remote Code Execution Vulnerability D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution. CVE-2022-26258 September 8, 2022
D-Link Multiple Routers OS Command Injection Vulnerability Multiple D-Link routers contain an unspecified vulnerability which allows for execution of OS commands. CVE-2018-6530 September 8, 2022
D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information. CVE-2011-4723 September 8, 2022
D-Link DNS-320 Remote Code Execution Vulnerability The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution. CVE-2019-16057 April 15, 2022
D-Link Multiple Routers Remote Code Execution Vulnerability A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file. CVE-2021-45382 April 4, 2022
D-Link DIR-610 Devices Remote Command Execution D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php. CVE-2020-9377 March 25, 2022
D-Link Multiple Routers Command Injection Vulnerability Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise. CVE-2019-16920 March 25, 2022
D-Link DCS-930L Devices OS Command Injection Vulnerability setSystemCommand on D-Link DCS-930L devices allows a remote attacker to execute code via an OS command. CVE-2016-11021 March 25, 2022
D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability A cross-site scripting (XSS) vulnerability exists in the D-Link DSL-2760U gateway, allowing remote authenticated users to inject arbitrary web script or HTML. CVE-2013-5223 March 25, 2022
D-Link DIR-645 Router Remote Code Execution Vulnerability D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. CVE-2015-2051 February 10, 2022
D-Link DIR-825 R1 Through 3.0.1 Before 11/2020 Buffer Overflow D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20 contain a vulnerability in the web interface allowing for remote code execution. CVE-2020-29557 November 3, 2021
D-Link DNS-320 Command Injection Remote Code Execution Vulnerability D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. CVE-2020-25506 November 3, 2021

By the Year

In 2024 there have been 0 vulnerabilities in D Link . D Link did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 1 7.50
2019 2 7.20
2018 6 7.65

It may take a day or so for new D Link vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent D Link Security Vulnerabilities

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices

CVE-2018-15516 5.8 - Medium - January 31, 2019

The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices allows remote attackers to conduct a PORT command bounce scan via port 8000, resulting in SSRF.

XSPA

The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually

CVE-2018-15517 8.6 - High - January 31, 2019

The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.

XSPA

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06

CVE-2018-18767 7 - High - December 20, 2018

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials.

Inadequate Encryption Strength

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17440 9.8 - Critical - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.

Unrestricted File Upload

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17441 6.1 - Medium - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'username' parameter of the addUser endpoint is vulnerable to stored XSS.

XSS

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17442 8.8 - High - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code.

Unrestricted File Upload

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17443 6.1 - Medium - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS.

XSS

An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices

CVE-2018-7698 8.1 - High - March 05, 2018

An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices. The mydlink+ app sends the username and password for connected D-Link cameras (such as DCS-933L and DCS-934L) unencrypted from the app to the camera, allowing attackers to obtain these credentials and gain control of the camera including the ability to view the camera's stream and make changes without the user's knowledge.

Insufficiently Protected Credentials

Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in D-Link DI-524, DI-604 Broadband Router, DI-624, D-Link DI-784, WBR-1310 Wireless G Router, WBR-2310 RangeBooster G Router, and EBR-2310 Ethernet Broadband Router

CVE-2006-3687 - July 21, 2006

Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in D-Link DI-524, DI-604 Broadband Router, DI-624, D-Link DI-784, WBR-1310 Wireless G Router, WBR-2310 RangeBooster G Router, and EBR-2310 Ethernet Broadband Router allows remote attackers to execute arbitrary code via a long M-SEARCH request to UDP port 1900.

D-Link DI-524 Wireless Router, DI-624 Wireless Router, and DI-784

CVE-2005-4723 - December 31, 2005

D-Link DI-524 Wireless Router, DI-624 Wireless Router, and DI-784 allow remote attackers to cause a denial of service (device reboot) via a series of crafted fragmented UDP packets, possibly involving a missing fragment.

Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624

CVE-2004-0615 - December 06, 2004

Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.