CVE-2024-11068 – CVE-2024-11068 is a critical vulnerability in D... (How to Fix)

Q: What is the severity of CVE-2024-11068?

CVE-2024-11068 has a CVSS score of 9.8 (CRITICAL). CVE-2024-11068 is a critical vulnerability in D-Link DSL6740C modems that allows unauthenticated remote attackers to change any user's password via API calls. This grants attackers access to web management, SSH, and Telnet services using compromised credentials. Approximately 60,000 end-of-life modems are affected with no official patch available.

📋 TL;DR

CVE-2024-11068 is a critical vulnerability in D-Link DSL6740C modems that allows unauthenticated remote attackers to change any user's password via API calls. This grants attackers access to web management, SSH, and Telnet services using compromised credentials. Approximately 60,000 end-of-life modems are affected with no official patch available.

💻 Affected Systems

Products:

D-Link DSL6740C

Versions: All versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All exposed devices are vulnerable by default. D-Link has declared these devices end-of-life and will not provide patches.

📦 What is this software?

Dsl6740c Firmware by Dlink

View all CVEs affecting Dsl6740c Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of modem with administrative access to all services (web, SSH, Telnet), enabling network interception, device reconfiguration, credential theft, and potential lateral movement to connected devices.

🟠

Likely Case

Remote attackers gain administrative access to modem management interface, allowing them to change network settings, intercept traffic, or use the device as an attack pivot point.

🟢

If Mitigated

If modem is behind firewall with no WAN access, risk is limited to internal attackers only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable API endpoint. Public technical details and proof-of-concept are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8234-0514c-2.html

Restart Required: No

Instructions:

No official patch available. D-Link has declared these devices end-of-life and will not provide security updates.

🔧 Temporary Workarounds

Disable remote management

all

Disable WAN access to modem management interface

Access modem web interface > Advanced > Remote Management > Disable

Change default credentials

all

Change all default passwords including admin, user, and support accounts

Access modem web interface > Management > Password > Change all passwords

🧯 If You Can't Patch

Replace affected modems with supported models
Place modem behind firewall with strict inbound rules blocking all WAN access to management interfaces

🔍 How to Verify

Check if Vulnerable:

Check if device model is DSL6740C and if web management interface is accessible from WAN

Check Version:

Check modem web interface status page or use 'telnet [modem_ip]' and check banner

Verify Fix Applied:

Test if password change API endpoint returns error for unauthenticated requests

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from new IP
Password change events for admin/user accounts
Unusual API calls to password change endpoints

Network Indicators:

HTTP POST requests to password change API endpoints from external IPs
Sudden increase in SSH/Telnet connections from new sources

SIEM Query:

sourceIP=external AND (uri_path CONTAINS "/password" OR uri_path CONTAINS "/user") AND http_method=POST

📊 Metadata

CVE ID: CVE-2024-11068

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-648

Published: November 11, 2024

Last Updated: November 24, 2024

🔗 References

https://www.twcert.org.tw/en/cp-139-8234-0514c-2.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-8227-f3f3b-1.html Third Party Advisory
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11068, you might also want to check these: