D-Link DIR-1950 v1.11B03 SSL Cert Bypass enables Firmware Downgrade MITM
CVE-2024-36755 Published on June 27, 2024
D-Link DIR-1950 up to v1.11B03 does not validate SSL certificates when requesting the latest firmware version and downloading URL. This can allow attackers to downgrade the firmware version or change the downloading URL via a man-in-the-middle attack.
Vulnerability Analysis
Weakness Type
Missing Validation of OpenSSL Certificate
The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.
Products Associated with CVE-2024-36755
Want to know whenever a new CVE is published for D-Link Dir 1950 Firmware? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.