CVE-2023-37324 – This vulnerability allows network-adjacent atta... (How to Fix)

Q: What is the severity of CVE-2023-37324?

CVE-2023-37324 has a CVSS score of 8.8 (HIGH). This vulnerability allows network-adjacent attackers to execute arbitrary code as root on D-Link DAP-2622 routers without authentication by exploiting a stack-based buffer overflow in the DDP service. It affects users of D-Link DAP-2622 routers with vulnerable firmware versions.

📋 TL;DR

This vulnerability allows network-adjacent attackers to execute arbitrary code as root on D-Link DAP-2622 routers without authentication by exploiting a stack-based buffer overflow in the DDP service. It affects users of D-Link DAP-2622 routers with vulnerable firmware versions.

💻 Affected Systems

Products:

D-Link DAP-2622

Versions: Firmware versions prior to 1.10B05

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The DDP service is enabled by default on affected devices, making them vulnerable out-of-the-box if not updated.

📦 What is this software?

Dap 2622 Firmware by Dlink

View all CVEs affecting Dap 2622 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root-level remote code execution, enabling attackers to take complete control of the router, intercept traffic, or pivot to other network devices.

🟠

Likely Case

Remote code execution leading to router compromise, potentially allowing attackers to modify settings, steal credentials, or launch further attacks.

🟢

If Mitigated

Limited impact if the router is patched or isolated, but exploitation could still occur if vulnerable and exposed.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward due to the lack of authentication and buffer overflow, but no public proof-of-concept has been disclosed as of the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.10B05 or later

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349

Restart Required: Yes

Instructions:

1. Download the latest firmware from D-Link's support site. 2. Log into the router's web interface. 3. Navigate to the firmware update section. 4. Upload and apply the new firmware file. 5. Reboot the router after the update completes.

🔧 Temporary Workarounds

Disable DDP Service

all

Turn off the DDP service to block the attack vector, though this may affect certain router functionalities.

Check router web interface for service settings; no universal command available.

Network Segmentation

all

Isolate the router on a separate VLAN to limit access to network-adjacent attackers.

Configure VLANs on your network switch or firewall.

🧯 If You Can't Patch

Restrict network access to the router using firewall rules to allow only trusted IP addresses.
Monitor network traffic for unusual activity targeting the DDP service on port 29808.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the router's web interface under System or Maintenance settings; if it is below 1.10B05, it is vulnerable.

Check Version:

No universal command; use the router's web interface or SSH if enabled to check the firmware version.

Verify Fix Applied:

After updating, confirm the firmware version is 1.10B05 or higher in the router's web interface.

📡 Detection & Monitoring

Log Indicators:

Unusual traffic or connection attempts to port 29808 (DDP service) in router logs.

Network Indicators:

Suspicious packets or buffer overflow attempts targeting the DDP service on UDP/TCP port 29808.

SIEM Query:

Example: 'source_port:29808 OR dest_port:29808 AND (event_type:buffer_overflow OR payload_size:large)'

📊 Metadata

CVE ID: CVE-2023-37324

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 3, 2024

Last Updated: May 13, 2025

🔗 References

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1278/ Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1278/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37324, you might also want to check these: