Login Sign Up

CVE-2023-26616

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2023-26616 is a critical buffer overflow vulnerability in D-Link DIR-823G routers that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability exists in the HNAP1 protocol's SetParentsControlInfo function when processing overly long URL fields. All users of affected firmware versions are at risk.

💻 Affected Systems

Products:
  • D-Link DIR-823G
Versions: 1.02B05
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: HNAP1 protocol enabled by default on affected devices. No authentication required to trigger the vulnerable endpoint.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the router, enabling network traffic interception, credential theft, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to router compromise, allowing attackers to modify DNS settings, intercept traffic, or use the device as a botnet node.

🟢

If Mitigated

Denial of service causing router reboot or instability if exploit attempts are blocked but still trigger the vulnerability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code available in public repositories. Exploitation requires sending specially crafted HTTP POST request to HNAP1 endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest firmware

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support website 2. Download latest firmware for DIR-823G 3. Log into router admin interface 4. Navigate to firmware update section 5. Upload and apply new firmware 6. Reboot router

🔧 Temporary Workarounds

Disable HNAP1 Protocol

all

Disable the vulnerable HNAP1 protocol if not required for functionality

Network Segmentation

all

Isolate DIR-823G routers from internet and critical internal networks

🧯 If You Can't Patch

  • Replace affected devices with patched or alternative models
  • Implement strict network access controls to limit exposure to HNAP1 endpoints

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface. If version is 1.02B05, device is vulnerable.

Check Version:

Check router web interface or use nmap to identify firmware version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.02B05

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to /HNAP1/SetParentsControlInfo
  • Large payloads in URL parameters
  • Router crash/reboot logs

Network Indicators:

  • HTTP traffic to router port 80 with large POST requests to HNAP1 endpoints
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/HNAP1/SetParentsControlInfo" OR message="buffer overflow")

📊 Metadata

CVE ID: CVE-2023-26616
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: June 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26616, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)