D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel
The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function) allows an attacker to access protected device functions without providing correct authentication credentials. This is possible by exploiting an alternative path or communication channel that is not covered by standard identity verification. The attack can be conducted remotely over the network, without user interaction, and without requiring any privileges.
An attacker can gain unauthorized access to the device with full privileges, which may result in taking control of the router/modem, modifying its configuration, intercepting network traffic, or enabling further lateral movement within the network.
Patches available from the manufacturer should be applied according to references. Additionally, it is recommended to restrict access to the device management interface only to trusted IP addresses and to isolate the device from unauthorized network segments until updates are deployed.
D-Link DSL-225 devices and their firmware — specific versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink Dsl 225
HWDlinkwszystkie wersjeDlink Dsl 225 Firmware
OSDlinkbz_1.00.16
Related vulnerabilities
D-Link DSL-225: Authentication Bypass przez atak capture-replay
D-Link DNS-320L/325/327L/340L — zakodowane na stałe poświadczenia (hard-coded credentials)
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to roo...
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli para...
D-Link Go-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 are vulnerable to Buffer Overflow via...