CVE-2023-41197
📋 TL;DR
This vulnerability allows network-adjacent attackers to execute arbitrary code as root on D-Link DAP-1325 routers without authentication. Attackers can inject malicious commands through the HNAP1 SOAP endpoint's SetHostIPv6StaticSettings parameter. All users of affected D-Link DAP-1325 routers are at risk.
💻 Affected Systems
- D-Link DAP-1325
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full router compromise allowing attacker to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.
Likely Case
Router takeover enabling traffic monitoring, credential theft, DNS hijacking, and launching attacks against internal devices.
If Mitigated
Limited impact if router is isolated from sensitive networks and regular monitoring detects anomalous activity.
🎯 Exploit Status
ZDI published technical details and proof-of-concept. Exploitation requires sending crafted HTTP POST requests to the HNAP1 endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 1.11B02
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10351
Restart Required: Yes
Instructions:
1. Download firmware 1.11B02 from D-Link support site. 2. Log into router admin interface. 3. Navigate to Firmware Update section. 4. Upload and apply the new firmware. 5. Wait for router to reboot automatically.
🔧 Temporary Workarounds
Disable HNAP1 Service
linuxDisable the vulnerable HNAP1 SOAP endpoint if not required
Requires custom firmware or advanced configuration - not officially supported by D-Link
Network Segmentation
allIsolate DAP-1325 on separate VLAN from sensitive systems
🧯 If You Can't Patch
- Replace affected DAP-1325 routers with updated models or different vendors
- Implement strict network access controls to limit who can reach the router's management interface
🔍 How to Verify
Check if Vulnerable:
Check current firmware version via router web interface or SSH if enabled. If version is earlier than 1.11B02, device is vulnerable.Check Version:
Check via web interface at http://[router-ip]/ or via SSH: cat /etc/versionVerify Fix Applied:
Confirm firmware version shows 1.11B02 or later in router admin interface.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /HNAP1/
- Command execution attempts in system logs
- Multiple failed authentication attempts to HNAP1 endpoint
Network Indicators:
- HTTP POST requests to router IP on port 80 with HNAP1 SOAP payloads containing shell metacharacters
- Unusual outbound connections from router
SIEM Query:
source="router_logs" AND (uri_path="/HNAP1/" AND http_method="POST" AND (user_agent="*curl*" OR user_agent="*wget*" OR payload CONTAINS "$" OR payload CONTAINS "|" OR payload CONTAINS ";"))