CVE-2024-29385 – CVE-2024-29385 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2024-29385?

CVE-2024-29385 has a CVSS score of 9.0 (CRITICAL). CVE-2024-29385 is an unauthenticated remote code execution vulnerability in D-Link DIR-845L routers. Attackers can exploit the soapcgi_main function in the cgibin binary to execute arbitrary code without credentials. This affects all users of DIR-845L routers running vulnerable firmware versions.

📋 TL;DR

CVE-2024-29385 is an unauthenticated remote code execution vulnerability in D-Link DIR-845L routers. Attackers can exploit the soapcgi_main function in the cgibin binary to execute arbitrary code without credentials. This affects all users of DIR-845L routers running vulnerable firmware versions.

💻 Affected Systems

Products:

D-Link DIR-845L Wireless Router

Versions: v1.01KRb03 and earlier

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the web management interface's SOAP CGI handler.

📦 What is this software?

Dir 845l Firmware by Dlink

View all CVEs affecting Dir 845l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent malware, intercept all network traffic, pivot to internal devices, and use the router as part of a botnet.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and deployment of malware to connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and regular firmware updates.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Could be exploited from compromised internal devices or via phishing attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in GitHub repository. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link advisory for latest patched version

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to System > Firmware Update. 3. Download latest firmware from D-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface to trusted network

🧯 If You Can't Patch

Replace vulnerable router with supported model
Implement strict firewall rules blocking all WAN access to router management ports (80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System > Firmware Update > Current Firmware Version

Check Version:

curl -s http://router-ip/version.cgi | grep Firmware

Verify Fix Applied:

Verify firmware version is newer than v1.01KRb03 and test SOAP endpoints are no longer accessible

📡 Detection & Monitoring

Log Indicators:

Unusual SOAP requests to /soap.cgi
Multiple failed authentication attempts followed by successful SOAP access
Unexpected process execution in router logs

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Traffic patterns indicating command and control communication

SIEM Query:

source="router.log" AND (uri="/soap.cgi" OR uri="/cgibin") AND (method="POST" OR method="GET")

📊 Metadata

CVE ID: CVE-2024-29385

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

Published: March 22, 2024

Last Updated: June 17, 2025

🔗 References

https://github.com/songah119/Report/blob/main/CI-1.md Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Product
https://github.com/songah119/Report/blob/main/CI-1.md Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29385, you might also want to check these: