First published: Wed Oct 17 2018(Updated: )
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
D-Link DWR-116 Firmware | <=1.06 | |
D-Link DWR-116 | ||
D-Link DIR-140L Firmware | <=1.02 | |
D-Link DIR-140L | ||
D-Link DIR-640L Firmware | <=1.02 | |
D-Link DIR-640L | ||
D-Link DWR-512 Firmware | <=2.02 | |
D-Link DWR-512 | ||
D-Link DWR-712 firmware | <=2.02 | |
D-Link DWR-712 firmware | ||
D-Link DWR-912 Firmware | <=2.02 | |
D-Link DWR-921 Firmware | ||
D-Link DWR-921 Firmware | <=2.02 | |
D-Link DWR-921 | ||
D-Link DWR-111 Firmware | <=1.01 | |
dlink DWR-111 firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-10824 has a medium severity level due to the exposure of administrative passwords.
To fix CVE-2018-10824, it is recommended to update the affected D-Link device firmware to the latest version.
CVE-2018-10824 affects various D-Link devices including DWR-116, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, DWR-921, and DWR-111.
CVE-2018-10824 compromises administrative passwords that are stored in plaintext.
If you are unable to update your affected D-Link device, it is critical to change the default administrative password and limit device exposure to the internet.