CVE-2024-11067

Relative Path Traversal (CWE-23)

Published: Nov 11, 2024 / Updated: 8d ago

010
CVSS 7.5EPSS 0.09%High
CVE info copied to clipboard

The D-Link DSL6740C modem has a Path Traversal Vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. Additionally, since the device's default password is a combination of the MAC address, attackers can obtain the MAC address through this vulnerability and attempt to log in to the device using the default password.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-11067

Nov 11, 2024 at 8:15 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Nov 11, 2024 at 8:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-11067. See article

Nov 11, 2024 at 8:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 11, 2024 at 8:21 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731890)

Nov 12, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 38.2%)

Nov 12, 2024 at 9:54 AM
Static CVE Timeline Graph

Affected Systems

Dlink/dsl6740c_firmware
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

News

D-Link Urges Users to Replace Popular VPN Routers Due to Critical Flaw
D-Link has issued an urgent advisory for users of its DSR-150, DSR-150N, DSR-250, and DSR-250N VPN routers, citing a critical stack buffer overflow vulnerability that could allow remote code execution by unauthenticated attackers. These devices, which have reached their End-of-Life (EoL) and End-of-Service (EoS) status as of May 2024, no longer receive firmware updates or security patches, leaving users exposed to significant cyber risks.
D-Link urges users to retire VPN routers impacted by unfixed RCE flaw
D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link US." - D-Link
D-Link urges users to retire VPN routers impacted by unfixed RCE flaw
D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link US." - D-Link
D-Link Urges Users to Replace VPN Routers Due to Unresolved RCE Vulnerability
The flaw, which does not have a CVE assigned yet, was discovered and reported by a security researcher known as ‘delsploit.’ The researcher has refrained from releasing technical details to the public to prevent widespread exploitation attempts. D-Link, the networking hardware vendor, has alerted its customers about a critical unauthenticated, remote code execution vulnerability affecting certain end-of-life VPN router models.
WARNING: D-LINK PRIVILEGE ESCALATION VULNERABILITY, REPLACE IMMEDIATELY!
See 20 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI