CVE-2018-25358

D-Link DIR601 2.02NA Credential Disclosure via my_cgi.cgi

CVSS 8.7 HIGHEPSS 0.6%CWE-497

D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

D-Link · DIR-601

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/45002unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://ca.dlink.com/http://support.dlink.ca/ProductInfo.aspx?m=DIR-601 https://www.exploit-db.com/exploits/45002 https://www.packetlabs.net https://www.vulncheck.com/advisories/d-link-dir601-2-02na-credential-disclosure-via-my-cgi-cgi