The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account.
The vulnerability results from lack of proper permission verification in the modem's API — an unauthenticated network attacker can invoke privileged API functions without needing any credentials. This allows changing the password of any user account on the device. After changing the password, the attacker gains full access to the modem management services: Web interface, SSH, and Telnet.
An attacker can take control of any account on the device, gaining access to the management interface via Web, SSH, and Telnet, which in practice means complete takeover of the modem and potentially the entire network behind it.
The D-Link manufacturer does not plan to release a patch due to the device's End-of-Life (EOL) status. It is recommended to immediately withdraw the device from use or — if this is not possible — isolate the management interface from the public network (disable remote access, apply firewall blocking access to management ports from outside). Consider replacing the device with an actively supported model.
D-Link DSL6740C Firmware (D-Link DSL6740C modem) — according to manufacturer information, the device is marked as End-of-Life (EOL), and the vulnerability affects its firmware versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink Dsl6740c
HWDlinkwszystkie wersjeDlink Dsl6740c Firmware
OSDlinkwszystkie wersje
Related vulnerabilities
The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administra...
The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administra...
The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administra...
The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administra...
The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administra...