Overview

On December 28, 2022, 3rd party security research from TrendMicro ZDI reported the D-Link D-View 8.0 Network Device Management platform as having multiple vulnerabilities.  The research was done on a demo version of the software, the corrected, and qualified version is the first release version from D-Link Corporation.

As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

Report information  

        - Reported by TrendMicro ZDI

                 - ZDI-CAN-19496: D-Link D-View TftpSendFileThread Directory Traversal Information Disclosure Vulnerability
 
                   - ZDI-CAN-19497: D-Link D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution Vulnerability

                   - ZDI-CAN-19527: D-Link D-View uploadFile Directory Traversal Arbitrary File Creation Vulnerability

                   - ZDI-CAN-19529: D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability

                   - ZDI-CAN-19534: D-Link D-View showUser Improper Authorization Privilege Escalation Vulnerability

                   - ZDI-CAN-19659: D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
 

Affected Models