CVE-2023-35735 – This is a critical stack-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2023-35735?

CVE-2023-35735 has a CVSS score of 8.8 (HIGH). This is a critical stack-based buffer overflow vulnerability in D-Link DAP-2622 routers that allows network-adjacent attackers to execute arbitrary code as root without authentication. The flaw exists in the DDP service when processing password change requests with overly long usernames. All users of affected DAP-2622 routers are at risk.

📋 TL;DR

This is a critical stack-based buffer overflow vulnerability in D-Link DAP-2622 routers that allows network-adjacent attackers to execute arbitrary code as root without authentication. The flaw exists in the DDP service when processing password change requests with overly long usernames. All users of affected DAP-2622 routers are at risk.

💻 Affected Systems

Products:

D-Link DAP-2622

Versions: All versions prior to firmware 1.10B02

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: DDP service runs by default on port 6050/TCP. No authentication required to trigger the vulnerable endpoint.

📦 What is this software?

Dap 2622 Firmware by Dlink

View all CVEs affecting Dap 2622 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root-level remote code execution, allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, credential theft, network surveillance, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if router is isolated from untrusted networks, though still vulnerable to insider threats or compromised internal devices.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI has published technical details but no public exploit code. The vulnerability requires network adjacency but no authentication, making exploitation straightforward for attackers on the same network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware 1.10B02

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349

Restart Required: Yes

Instructions:

1. Download firmware 1.10B02 from D-Link support site. 2. Log into router web interface. 3. Navigate to Maintenance > Firmware Update. 4. Upload the firmware file. 5. Wait for automatic reboot. 6. Verify new firmware version.

🔧 Temporary Workarounds

Block DDP Service Port

linux

Block access to the vulnerable DDP service port using firewall rules

iptables -A INPUT -p tcp --dport 6050 -j DROP
iptables -A INPUT -p udp --dport 6050 -j DROP

Disable DDP Service

linux

Disable the DDP service if not required for functionality

killall ddpd
chmod -x /usr/sbin/ddpd

🧯 If You Can't Patch

Isolate the router on a dedicated VLAN with strict access controls
Implement network segmentation to limit lateral movement from compromised router

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via web interface (Status > Device Info) or SSH (cat /etc/version). If version is earlier than 1.10B02, device is vulnerable.

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version shows 1.10B02 or later. Test DDP service response to malformed requests (requires specialized testing).

📡 Detection & Monitoring

Log Indicators:

Multiple failed DDP connection attempts
Unusual process execution from DDP service
Buffer overflow patterns in system logs

Network Indicators:

Unusual traffic to port 6050/TCP
Large username fields in DDP packets
Exploit pattern: 'DDP Change ID Password' requests with oversized data

SIEM Query:

source="router.log" AND ("ddp" OR "6050") AND ("overflow" OR "crash" OR "segfault")

📊 Metadata

CVE ID: CVE-2023-35735

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 3, 2024

Last Updated: May 13, 2025

🔗 References

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1240/ Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1240/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35735, you might also want to check these: