Login Sign Up

CVE-2024-22916

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected D-LINK Go-RT-AC750 routers via a stack overflow in the cgibin component. Attackers can exploit this without authentication to gain full control of the device. All users of the vulnerable firmware version are affected.

💻 Affected Systems

Products:
  • D-LINK Go-RT-AC750
Versions: v101b03
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware are affected regardless of configuration.

📦 What is this software?

Go Rt Ac750 Firmware by Dlink

View all CVEs affecting Go Rt Ac750 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and botnet recruitment.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal network attacks remain possible.

🌐 Internet-Facing: HIGH - Directly accessible from internet with no authentication required for exploitation.
🏢 Internal Only: HIGH - Even internally, exploitation requires no authentication and provides full device control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates reliable exploitation. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched version

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-LINK support website
2. Download latest firmware for Go-RT-AC750
3. Log into router admin interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router after update completes

🔧 Temporary Workarounds

Disable WAN Access

all

Place router behind firewall or disable WAN administration to prevent external exploitation

Network Segmentation

all

Isolate router on separate VLAN to limit lateral movement if compromised

🧯 If You Can't Patch

  • Replace affected device with patched or different model
  • Implement strict network access controls to isolate device from critical systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface or via SSH: cat /proc/version

Check Version:

cat /proc/version or check web interface firmware version

Verify Fix Applied:

Verify firmware version matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusual cgibin process crashes
  • Suspicious HTTP requests to router management interface
  • Unexpected firmware modification attempts

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns suggesting command and control communication
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND ("cgibin" OR "sprintf") AND ("crash" OR "overflow")

📊 Metadata

CVE ID: CVE-2024-22916
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22916, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)