D-Link, a Taiwanese networking solutions vendor, has addressed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code. D-View is widely used by businesses for network monitoring, device configuration, and network mapping.
Security researchers from Trend Micro’s Zero Day Initiative discovered six flaws in D-View, reporting them to D-Link in December 2022.
Furthermore, among these vulnerabilities, two were classified as critical, with a CVSS score of 9.8, granting unauthenticated attackers significant control over affected installations.
The first critical flaw, identified as CVE-2023-32165, is a remote code execution vulnerability stemming from insufficient validation of user-supplied paths in file operations.
Exploiting this flaw enables attackers to execute code with SYSTEM privileges, potentially leading to complete system takeover.
Additionally, the second critical flaw, designated as CVE-2023-32169, is an authentication bypass issue resulting from the use of a hardcoded cryptographic key in the TokenUtils class. This vulnerability allows attackers to escalate privileges, gain unauthorized access to information, modify configurations, and even install backdoors and malware.
D-Link has released an advisory addressing all six reported flaws, urging administrators to upgrade to version 220.127.116.11 of D-View 8, released on May 17, 2023.
While the company strongly recommends installing the security update, it cautions that the patch is currently undergoing final testing and may introduce some instability to D-View. Users are advised to verify the hardware revision of their products before downloading the corresponding firmware update.