CRITICAL🇵🇱 Wersja polska

CVE-2024-5296

CVSS 9.8v3.0pub. 2024-05-23upd. 2025-08-06

D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991.

🤖 AI Analysis
How it works

The D-Link D-View application uses a fixed, immutable hardcoded cryptographic key in the TokenUtils class to generate or validate authentication tokens. An attacker, knowing this key, can independently generate a valid session token or authentication credentials. As a result, the system accepts forged data as correct identity without requiring actual authentication credentials. The attack is possible remotely, over the network, without any prior privileges.

Impact

An attacker can completely bypass the authentication mechanism and gain unauthorized access to the D-Link D-View system, which may lead to complete takeover of the application, disclosure of sensitive data, and modification of managed network infrastructure configuration.

Mitigation & patch

Apply patches available from the vendor according to the references. Detailed information about patched versions is available in the ZDI-24-447 advisory (https://www.zerodayinitiative.com/advisories/ZDI-24-447/). Until the patch is deployed, it is recommended to restrict network access to the D-View interface only to trusted hosts and to isolate the system from the public Internet.

Who is affected

D-Link D-View 8 — specific versions indicated in the vendor's references and in the Zero Day Initiative advisory (ZDI-24-447)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dlink D View 8

    APP
    Dlink
    2.0.1.28
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2023-44411CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: hardcoded credentials umożliwiają bypass uwierzytelnienia

CVE-2023-44414CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script

CVE-2023-32165CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler

CVE-2023-32169CRITICAL9.8PL ✓ten sam produkt

D-Link D-View: pominięcie uwierzytelnienia przez hardkodowany klucz kryptograficzny

CVE-2023-7163CRITICAL10.0PL ✓ten sam produkt

D-Link D-View 8: Manipulacja inwentarzem sond umożliwia RCE i DoS