| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.7 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in D-Link DAP-2622. This affects an unknown function of the component DDP Service. Performing a manipulation results in stack-based overflow. This vulnerability is known as CVE-2023-35746. Access to the local network is required for this attack. No exploit is available. It is recommended to upgrade the affected component.
Details
A vulnerability, which was classified as critical, was found in D-Link DAP-2622 (version now known). This affects some unknown processing of the component DDP Service. The manipulation with an unknown input leads to a stack-based overflow vulnerability. CWE is classifying the issue as CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
D-Link DAP-2622 DDP Firmware Upgrade Auth Username Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DDP service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-20074.
The weakness was published 08/26/2023 as ZDI-23-1251. The advisory is shared at zerodayinitiative.com. This vulnerability is uniquely identified as CVE-2023-35746 since 06/15/2023. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 05/13/2025).
Upgrading eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
License
Website
- Vendor: https://www.dlink.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.8VulDB Meta Temp Score: 8.7
VulDB Base Score: 8.8
VulDB Temp Score: 8.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CNA Base Score: 8.8
CNA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Stack-based overflowCWE: CWE-121 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
06/15/2023 🔍08/26/2023 🔍
08/26/2023 🔍
05/13/2025 🔍
Sources
Vendor: dlink.comAdvisory: ZDI-23-1251
Status: Confirmed
CVE: CVE-2023-35746 (🔍)
GCVE (CVE): GCVE-0-2023-35746
GCVE (VulDB): GCVE-100-238125
Entry
Created: 08/26/2023 14:03Updated: 05/13/2025 16:14
Changes: 08/26/2023 14:03 (38), 09/19/2024 07:09 (27), 05/13/2025 16:14 (10)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.