Shaunak Ganorkar

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-868L B1 router firmware version FW2.05WWB02 **Description** The D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the `fileaccess.cgi` component. The `/dws/api/UploadFile` API endpoint accepts a `pre api arg` parameter which is passed directly to system-level shell execution functions without proper sanitization or authentication. This allows remote attackers to execute arbitrary commands as root through crafted HTTP requests. **Recommendations** Update to a newer version of the firmware that addresses this issue. As a temporary workaround, restrict access to the `/dws/api/UploadFile` endpoint. Avoid using the `pre api arg` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Tenda CP3 Pro firmware version 22.5.4.93 Description: The Tenda CP3 Pro firmware contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access. Recommendations: Update to a newer version of the firmware that addresses this issue.

Name of the Vulnerable Software and Affected Versions: Tenda CP3 Pro version 22.5.4.93 Description: An insecure permissions issue exists in the Tenda CP3 Pro firmware. The telnet service (`telnetd`) is enabled by default during boot via the initialization script `/etc/init.d/eth.sh`. This allows remote attackers to connect to the device’s shell over the network, potentially without authentication if default or weak credentials are present. Recommendations: Update to a newer version that contains a fix for this issue. As a temporary workaround, consider disabling the telnet service until a patch is available.

Name of the Vulnerable Software and Affected Versions: D-Link DCS-825L firmware versions prior to 1.09.02 Description: The D-Link DCS-825L firmware contains a flaw in the watchdog script `mydlink-watch-dog.sh`. This script blindly respawns binaries, including `dcp` and `signalc`, without verifying their integrity, authenticity, or permissions. An attacker with local filesystem access can replace these binaries with malicious payloads. The script then executes these binaries as root in a continuous loop, resulting in persistent privilege escalation and arbitrary code execution. Recommendations: Update to firmware version 1.09.02 or later.

Name of the Vulnerable Software and Affected Versions: D-Link DCS-825L firmware versions prior to 1.08.01 Description: The D-Link DCS-825L firmware contains an insecure implementation in the `mydlink-watch-dog.sh` script. This script monitors and restarts the `dcp` and `signalc` binaries without verifying their integrity, origin, or permissions. An attacker gaining filesystem access can replace these binaries to execute arbitrary code persistently with root privileges. The issue arises from a lack of executable trust and integrity checks within the watchdog logic. Recommendations: Update to a firmware version newer than 1.08.01. As a temporary workaround, restrict filesystem access to prevent unauthorized modification of the `dcp` and `signalc` binaries.

**Name of the Vulnerable Software and Affected Versions** D-Link DPH-400S/SE VoIP Phone version 1.01 **Description** The issue concerns hardcoded provisioning variables in the firmware, including `PROVIS USER PASSWORD`, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools, potentially leading to unauthorized access to device functions or user accounts. This is due to insecure storage of sensitive information in the firmware binary. **Recommendations** For D-Link DPH-400S/SE VoIP Phone version 1.01, consider restricting access to the device's firmware and provisioning variables to minimize the risk of exploitation. As a temporary workaround, avoid using the `PROVIS USER PASSWORD` variable until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.