Login Sign Up

CVE-2023-33735

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on D-Link DIR-846 routers via the tomography_ping_address parameter in the HNAP1 interface. Attackers can gain full control of affected devices without authentication. All users of D-Link DIR-846 routers with the vulnerable firmware version are affected.

💻 Affected Systems

Products:
  • D-Link DIR-846
Versions: v1.00A52
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the HNAP1 interface which is typically enabled by default on these routers.

📦 What is this software?

Dir 846 Firmware by Dlink

View all CVEs affecting Dir 846 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal network devices, and use the router as part of a botnet.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or other malware.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and regular firmware updates are applied.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Could still be exploited by malicious insiders or through compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in GitHub repository. Simple HTTP request with crafted parameter can trigger RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest patched version

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from D-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable HNAP1 Interface

all

Disable the vulnerable HNAP1 interface if not required for functionality

Restrict WAN Access

all

Configure firewall to block external access to router admin interface (port 80/443)

🧯 If You Can't Patch

  • Replace router with updated model or different vendor
  • Place router behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is v1.00A52, device is vulnerable.

Check Version:

Check via router web interface or use: curl -s http://router-ip/HNAP1/ | grep firmware

Verify Fix Applied:

Verify firmware version has been updated to a version later than v1.00A52. Test HNAP1 interface with known exploit payloads (in controlled environment).

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /HNAP1 with tomography_ping_address parameter containing shell commands
  • Multiple failed login attempts followed by successful HNAP1 access

Network Indicators:

  • HTTP requests to router IP on port 80/443 with unusual parameter values
  • Outbound connections from router to suspicious IPs

SIEM Query:

source="router-logs" AND (uri_path="/HNAP1" AND (param="tomography_ping_address" OR contains(param_value, "$") OR contains(param_value, "|")))

📊 Metadata

CVE ID: CVE-2023-33735
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 31, 2023
Last Updated: January 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON