Login Sign Up

CVE-2018-10824

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to obtain administrative router passwords stored in plaintext via directory traversal or local file inclusion. It affects multiple D-Link router models, enabling full router compromise. Attackers can gain complete control over affected devices.

💻 Affected Systems

Products:
  • D-Link DWR-116
  • DIR-140L
  • DIR-640L
  • DWR-512
  • DWR-712
  • DWR-912
  • DWR-921
  • DWR-111
Versions: Through versions specified in CVE (e.g., DWR-116 through 1.06)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with default configurations are vulnerable. The password file exists in /tmp/csman/0 directory.

📦 What is this software?

Dir 140l Firmware by Dlink

View all CVEs affecting Dir 140l Firmware →

Dir 640l Firmware by Dlink

View all CVEs affecting Dir 640l Firmware →

Dwr 111 Firmware by Dlink

View all CVEs affecting Dwr 111 Firmware →

Dwr 116 Firmware by Dlink

View all CVEs affecting Dwr 116 Firmware →

Dwr 512 Firmware by Dlink

View all CVEs affecting Dwr 512 Firmware →

Dwr 712 Firmware by Dlink

View all CVEs affecting Dwr 712 Firmware →

Dwr 912 Firmware by Dlink

View all CVEs affecting Dwr 912 Firmware →

Dwr 921 Firmware by Dlink

View all CVEs affecting Dwr 921 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover allowing traffic interception, network pivoting, malware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access leading to DNS hijacking, credential theft, and network surveillance.

🟢

If Mitigated

Limited impact with proper network segmentation and external access controls preventing exploitation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires directory traversal or LFI vulnerability to access the password file. Public proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for specific fixed versions per model

Vendor Advisory: https://support.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates for your specific model. 2. Download and install latest firmware. 3. Reboot router. 4. Change administrative password after update.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Network segmentation

all

Isolate affected routers from critical network segments

🧯 If You Can't Patch

  • Replace affected devices with supported models
  • Implement strict firewall rules limiting access to router administration interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version against affected versions list. Attempt to access /tmp/csman/0 via web interface if directory traversal exists.

Check Version:

Check router web interface under Status or Administration section for firmware version

Verify Fix Applied:

Verify firmware version is above affected range. Confirm password file is no longer accessible or encrypted.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful login
  • Access to unusual file paths in web logs
  • Administrative access from unexpected IP addresses

Network Indicators:

  • Unusual outbound connections from router
  • DNS changes not initiated by administrator
  • Traffic redirection patterns

SIEM Query:

source="router_logs" AND (path="*csman*" OR path="*tmp*" OR (event="login" AND result="success" AND src_ip NOT IN allowed_admin_ips))

📊 Metadata

CVE ID: CVE-2018-10824
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: October 17, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10824, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)