CVE-2023-34274

Name of the Vulnerable Software and Affected Versions D-Link DIR-2150 (affected versions not specified)

Description The issue is related to the implementation of the LoginPassword function in the D-Link DIR-2150 router's software, which allows for authentication bypass. This can be exploited by a remote attacker using a specially crafted request. The vulnerability exists within the SOAP API interface, which listens on TCP port 80 by default. A crafted login request can cause authentication to succeed without providing proper credentials, allowing an attacker to bypass authentication on the system.

Recommendations As a temporary workaround, consider disabling the LoginPassword function until a patch is available. Restrict access to the SOAP API interface to minimize the risk of exploitation. Avoid using the default TCP port 80 for the SOAP API interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.