CVE-2017-3191 – D-Link DIR-130 and DIR-330 routers with vulnera... (How to Fix)

Q: What is the severity of CVE-2017-3191?

CVE-2017-3191 has a CVSS score of 9.8 (CRITICAL). D-Link DIR-130 and DIR-330 routers with vulnerable firmware versions allow remote attackers to bypass authentication on the remote management login page. By manipulating POST requests, attackers can access administrator-only pages without credentials. This affects organizations and individuals using these specific router models with the vulnerable firmware.

📋 TL;DR

D-Link DIR-130 and DIR-330 routers with vulnerable firmware versions allow remote attackers to bypass authentication on the remote management login page. By manipulating POST requests, attackers can access administrator-only pages without credentials. This affects organizations and individuals using these specific router models with the vulnerable firmware.

💻 Affected Systems

Products:

D-Link DIR-130
D-Link DIR-330

Versions: DIR-130 firmware version 1.23, DIR-330 firmware version 1.12

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the remote management web interface. Default configurations typically have remote management enabled.

📦 What is this software?

Dir 130 Firmware by D Link

View all CVEs affecting Dir 130 Firmware →

Dir 330 Firmware by D Link

View all CVEs affecting Dir 330 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router administration allowing attacker to reconfigure network settings, intercept traffic, install malicious firmware, or use router as pivot point into internal network.

🟠

Likely Case

Unauthorized access to router administration panel leading to network configuration changes, DNS hijacking, or credential theft.

🟢

If Mitigated

Limited impact if remote management is disabled or proper network segmentation isolates the router.

🌐 Internet-Facing: HIGH - Remote management interface is typically internet-facing on these routers, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - If remote management is disabled but attacker gains internal access, they could still exploit locally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves simple HTTP POST request manipulation. Public proof-of-concept code and technical details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DIR-130 firmware 1.23B01 or later, DIR-330 firmware 1.13 or later

Vendor Advisory: https://support.dlink.com/security/

Restart Required: Yes

Instructions:

1. Download latest firmware from D-Link support site. 2. Log into router admin panel. 3. Navigate to Tools > Firmware. 4. Upload and install new firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Turn off remote administration feature to prevent external access to vulnerable interface.

Login to router admin > Tools > Admin > Remote Management > Disable

Restrict Access with Firewall Rules

linux

Block external access to router management ports (typically 8080, 443, 80).

iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Replace affected routers with newer models or different vendors
Place routers behind dedicated firewall with strict inbound rules blocking management ports

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under Status > Firmware. If DIR-130 shows 1.23 or DIR-330 shows 1.12, you are vulnerable.

Check Version:

curl -k https://router-ip/status.cgi | grep firmware

Verify Fix Applied:

After patching, verify firmware version shows DIR-130 1.23B01+ or DIR-330 1.13+. Test remote login page with invalid credentials to confirm authentication is required.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access to admin pages
POST requests to tools_admin.asp without preceding successful login

Network Indicators:

HTTP POST requests to router IP on port 8080/443 with manipulated parameters
Unauthorized access to admin pages from external IPs

SIEM Query:

source="router-logs" (url="*/tools_admin.asp" OR url="*/admin/*") AND NOT (user="admin" AND auth="success")

📊 Metadata

CVE ID: CVE-2017-3191

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-294

Published: December 16, 2017

Last Updated: April 20, 2025

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/123293 VDB Entry
https://www.kb.cert.org/vuls/id/553503 Issue Tracking,Third Party Advisory,US Government Resource
https://www.scmagazine.com/d-link-dir-130-and-dir-330-routers-vulnerable/article/644553/ Press/Media Coverage
https://www.wilderssecurity.com/threads/d-link-dir-130-and-dir-330-are-vulnerable-to-authentication-bypass-and-do-not-protect-credentials.392703/ Issue Tracking,Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/123293 VDB Entry
https://www.kb.cert.org/vuls/id/553503 Issue Tracking,Third Party Advisory,US Government Resource
https://www.scmagazine.com/d-link-dir-130-and-dir-330-routers-vulnerable/article/644553/ Press/Media Coverage
https://www.wilderssecurity.com/threads/d-link-dir-130-and-dir-330-are-vulnerable-to-authentication-bypass-and-do-not-protect-credentials.392703/ Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-3191, you might also want to check these: