CRITICAL🇵🇱 Wersja polska

CVE-2023-32169

CVSS 9.8v3.0pub. 2024-05-03upd. 2025-08-07

D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-19659.

🤖 AI Analysis
How it works

The problem lies in the TokenUtils class of D-View software, which uses a hardcoded cryptographic key to handle authentication tokens. Because the key is known (or can be reproduced), an attacker can independently generate valid authentication tokens. As a result, it is possible to bypass the entire authentication mechanism without knowledge of any login credentials.

Impact

An attacker gains unauthorized access to the D-Link D-View system from the network, which may lead to complete takeover of the application, disclosure of sensitive data, and modification of the configuration of managed network devices.

Mitigation & patch

Security patches available from the manufacturer should be applied according to the references (D-Link SAP10332 announcement available at supportannouncement.us.dlink.com)

Who is affected

D-Link D-View 8 — specific versions indicated in the manufacturer's references (SAP10332)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dlink D View 8

    APP
    Dlink
    ≤ 2.0.1.27
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-5296CRITICAL9.8PL ✓ten sam produkt

D-Link D-View 8 — pominięcie uwierzytelnienia przez zakodowany klucz kryptograficzny

CVE-2023-44414CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script

CVE-2023-32165CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler

CVE-2023-44411CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: hardcoded credentials umożliwiają bypass uwierzytelnienia

CVE-2023-7163CRITICAL10.0PL ✓ten sam produkt

D-Link D-View 8: Manipulacja inwentarzem sond umożliwia RCE i DoS