Login Sign Up

CVE-2023-43196

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a critical stack overflow vulnerability in D-Link DI-7200GV2.E1 routers that allows remote attackers to execute arbitrary code via the zn_jb parameter in the arp_sys.asp function. Attackers can potentially gain full control of affected devices. Organizations using these routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:
  • D-Link DI-7200GV2.E1
Versions: v21.04.09E1
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is in the web management interface's arp_sys.asp function. Devices with web management enabled are vulnerable.

📦 What is this software?

Di 7200g\+ Firmware by Dlink

View all CVEs affecting Di 7200g\+ Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full root/system-level access to the router, enabling complete device takeover, network traffic interception, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote attacker executes arbitrary code with router privileges, potentially modifying configurations, intercepting traffic, or using the device as a pivot point for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself, though device compromise still allows traffic monitoring and potential credential theft.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub reference contains technical details that could be used to develop an exploit. Stack overflow vulnerabilities in network devices are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check D-Link security advisories for firmware updates. If available, download from official D-Link support site and apply via web interface.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the web management interface if not required for operation

Restrict Management Access

all

Configure firewall rules to restrict access to management interface to trusted IPs only

🧯 If You Can't Patch

  • Segment affected routers in isolated network zones with strict firewall rules
  • Implement network monitoring for unusual traffic patterns or exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > System > Firmware Information

Check Version:

No CLI command available - use web interface at http://[router-ip]/

Verify Fix Applied:

Verify firmware version is newer than v21.04.09E1 after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to arp_sys.asp with long zn_jb parameter
  • Router crash/restart logs

Network Indicators:

  • HTTP traffic to router management interface with suspicious parameter values
  • Unexpected outbound connections from router

SIEM Query:

http.url:*arp_sys.asp* AND http.method:POST AND http.param.zn_jb:*

📊 Metadata

CVE ID: CVE-2023-43196
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: September 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43196, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)