CVE-2024-28729 – This vulnerability allows a local attacker to e... (How to Fix)

Q: What is the severity of CVE-2024-28729?

CVE-2024-28729 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows a local attacker to execute arbitrary code on affected D-Link 5G CPE devices via a crafted request. It affects DWR-2000M 5G CPE with WiFi 6 Ax1800 and DWR-2000M_1.34ME models. Attackers with local network access can potentially gain full control of the device.

📋 TL;DR

This vulnerability allows a local attacker to execute arbitrary code on affected D-Link 5G CPE devices via a crafted request. It affects DWR-2000M 5G CPE with WiFi 6 Ax1800 and DWR-2000M_1.34ME models. Attackers with local network access can potentially gain full control of the device.

💻 Affected Systems

Products:

D-Link DWR 2000M 5G CPE With Wifi 6 Ax1800
D-Link DWR 5G CPE DWR-2000M_1.34ME

Versions: All versions up to and including 1.34ME

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with default configurations. Local network access required for exploitation.

📦 What is this software?

Dwr 2000m Firmware by Dlink

View all CVEs affecting Dwr 2000m Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, and use device as botnet node.

🟠

Likely Case

Local attacker gains administrative access to modify device configuration, intercept traffic, or disrupt network connectivity.

🟢

If Mitigated

Limited impact if device is isolated from critical networks and has strict access controls, though code execution risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public PoC available on GitHub. Exploitation requires local network access but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates. 2. Download latest firmware for your model. 3. Access device admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices from critical network segments using VLANs or physical separation.

Access Control Lists

all

Implement strict firewall rules to limit access to device management interfaces.

🧯 If You Can't Patch

Replace affected devices with patched or alternative models
Deploy network monitoring to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via admin interface. If version is 1.34ME or earlier, device is vulnerable.

Check Version:

Check via web interface at http://[device-ip]/ or using admin credentials

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.34ME.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to device management interfaces
Multiple failed authentication attempts followed by successful access
Unexpected firmware modification logs

Network Indicators:

Unusual outbound connections from CPE device
Traffic patterns indicating command and control communication
Port scanning originating from CPE device

SIEM Query:

source="dlink-cpe" AND (http_method="POST" AND uri="/cgi-bin/*" AND status=200) OR (event_type="firmware_update" AND user!="admin")

📊 Metadata

CVE ID: CVE-2024-28729

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: November 12, 2024

Last Updated: November 22, 2024

🔗 References

https://github.com/Mrnmap/mrnmap-cve Third Party Advisory
https://github.com/Mrnmap/mrnmap-cve/blob/main/CVE-2024-28729 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28729, you might also want to check these: