Description
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges.
References (1)
Core 1
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://www.gubello.me/blog/router-dlink-dva-5592-authentication-bypass/
Scores
CVSS v3
9.8
EPSS
0.0056
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
dlink/dva-5592_firmware
a1_wi_20180823
Published
Dec 18, 2018
Tracked Since
Feb 18, 2026