D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991.
The D-Link D-View application uses a fixed, immutable hardcoded cryptographic key in the TokenUtils class to generate or validate authentication tokens. An attacker, knowing this key, can independently generate a valid session token or authentication credentials. As a result, the system accepts forged data as correct identity without requiring actual authentication credentials. The attack is possible remotely, over the network, without any prior privileges.
An attacker can completely bypass the authentication mechanism and gain unauthorized access to the D-Link D-View system, which may lead to complete takeover of the application, disclosure of sensitive data, and modification of managed network infrastructure configuration.
Apply patches available from the vendor according to the references. Detailed information about patched versions is available in the ZDI-24-447 advisory (https://www.zerodayinitiative.com/advisories/ZDI-24-447/). Until the patch is deployed, it is recommended to restrict network access to the D-View interface only to trusted hosts and to isolate the system from the public Internet.
D-Link D-View 8 — specific versions indicated in the vendor's references and in the Zero Day Initiative advisory (ZDI-24-447)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink D View 8
APPDlink2.0.1.28
Related vulnerabilities
D-Link D-View: hardcoded credentials umożliwiają bypass uwierzytelnienia
D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script
D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler
D-Link D-View: pominięcie uwierzytelnienia przez hardkodowany klucz kryptograficzny
D-Link D-View 8: Manipulacja inwentarzem sond umożliwia RCE i DoS