Login Sign Up

CVE-2024-9534

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical buffer overflow vulnerability in D-Link DIR-605L routers allows remote attackers to execute arbitrary code by manipulating the curTime parameter in the formEasySetPassword function. This affects all users of DIR-605L firmware version 2.13B01 BETA. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:
  • D-Link DIR-605L
Versions: 2.13B01 BETA
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific BETA firmware version. Production versions may not be vulnerable.

📦 What is this software?

Dir 605l Firmware by Dlink

View all CVEs affecting Dir 605l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, and botnet recruitment.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making exposed devices immediate targets.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: Yes

Instructions:

1. Check D-Link website for firmware updates. 2. If update available, download from official site. 3. Log into router admin panel. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace router with supported model running non-vulnerable firmware
  • Implement strict firewall rules blocking all external access to router management interface (typically ports 80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System or Maintenance section. If version is 2.13B01 BETA, device is vulnerable.

Check Version:

Check via router web interface or use nmap scan: nmap -sV -p80,443 [router-ip]

Verify Fix Applied:

After firmware update, verify version has changed from 2.13B01 BETA to a newer version.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/formEasySetPassword with abnormal curTime parameter values
  • Router reboot events following suspicious web requests

Network Indicators:

  • Unusual outbound connections from router to unknown IPs
  • DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND (url="/goform/formEasySetPassword" AND (param="curTime" AND value="*[long_string]*"))

📊 Metadata

CVE ID: CVE-2024-9534
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: October 5, 2024
Last Updated: October 9, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9534, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)