CVE-2024-7715

MEDIUM

D-Link DNS-120-DNS-1550-04 - Command Injection

Title source: llm

Description

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240812. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/photocenter_mgr.cgi. The manipulation of the argument filter leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

References (5)

Core 5

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.274281

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.274281

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.389261

Various Sources exploit

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_photo_search.md

Various Sources related

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Scores

CVSS v3 6.3

EPSS 0.2447

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (20)

D-Link/DNR-202L 20240812

D-Link/DNR-322L 20240812

D-Link/DNR-326 20240812

D-Link/DNS-1100-4 20240812

D-Link/DNS-120 20240812

D-Link/DNS-1200-05 20240812

D-Link/DNS-1550-04 20240812

D-Link/DNS-315L 20240812

D-Link/DNS-320 20240812

D-Link/DNS-320L 20240812

... and 10 more

Published Aug 13, 2024

Tracked Since Feb 18, 2026