CVE-2023-26615 – CVE-2023-26615 is a password reset vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-26615?

CVE-2023-26615 has a CVSS score of 7.5 (HIGH). CVE-2023-26615 is a password reset vulnerability in D-Link DIR-823G routers that allows unauthenticated attackers to reset the web management interface password via the SetMultipleActions API. This affects users of DIR-823G routers with vulnerable firmware, potentially allowing attackers to take full administrative control of the device.

📋 TL;DR

CVE-2023-26615 is a password reset vulnerability in D-Link DIR-823G routers that allows unauthenticated attackers to reset the web management interface password via the SetMultipleActions API. This affects users of DIR-823G routers with vulnerable firmware, potentially allowing attackers to take full administrative control of the device.

💻 Affected Systems

Products:

D-Link DIR-823G

Versions: Firmware version 1.02B05

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected by default. The vulnerability is in the HNAP1 protocol implementation.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the router, enabling them to intercept traffic, redirect DNS, install malware, or use the device as part of a botnet.

🟠

Likely Case

Attackers reset the admin password and gain persistent access to the router's management interface, potentially compromising network security and privacy.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the router itself rather than the entire network.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers from the internet.

🏢 Internal Only: MEDIUM - If the router's management interface is exposed internally, attackers on the local network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available on GitHub. The exploit requires sending crafted HTTP requests to the router's HNAP1 interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check D-Link's official website for firmware updates. 2. If available, download the latest firmware. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable remote access to the router's web management interface to prevent internet-based attacks.

Restrict Management Interface Access

all

Configure firewall rules to restrict access to the router's management interface to trusted IP addresses only.

🧯 If You Can't Patch

Replace the vulnerable router with a different model that receives security updates
Isolate the router in a separate network segment to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > Tools > Firmware. If version is 1.02B05, device is vulnerable.

Check Version:

curl -s http://router-ip/HNAP1/ | grep -i version

Verify Fix Applied:

After updating firmware, verify the version is no longer 1.02B05. Test if password reset via SetMultipleActions API is still possible.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful password reset
Unusual HNAP1 protocol requests to SetMultipleActions endpoint

Network Indicators:

HTTP POST requests to /HNAP1/ with SetMultipleActions in payload
Unusual traffic patterns from router management interface

SIEM Query:

source="router_logs" AND ("SetMultipleActions" OR "password reset")

📊 Metadata

CVE ID: CVE-2023-26615

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-640

Published: June 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1 Exploit,Third Party Advisory
https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1/SetMultipleActions Exploit,Third Party Advisory
https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1 Exploit,Third Party Advisory
https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1/SetMultipleActions Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26615, you might also want to check these: