Multiple D-Link DSL6740C Modem Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-11068 CVSS:9.8

The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account.

CVE-2024-11067 CVSS:7.5

D-Link DSL6740C modem could allow a remote attacker to traverse directories on the system, caused by improper validation of user-supplied request. An attacker could send a specially crafted URL request to the root/run/adm.php script containing "dot dot" sequences (/../) in the efile parameter to create arbitrary files on the system.

CVE-2024-11066 CVSS:7.2

D-Link DSL6740C modem could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in an unspecified web page. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2024-11065 CVSS:7.2

The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

CVE-2024-11063 CVSS:7.2

D-Link DSL6740C modem could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the SSH and Telnet components. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2024-11064 CVSS:7.2

Impact