Details of VAR-202308-3319

ID

VAR-202308-3319

CVE

CVE-2023-37325

TITLE

D-Link Systems, Inc. of DAP-2622 Vulnerability related to lack of authentication for critical functions in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-029392

DESCRIPTION

D-Link DAP-2622 DDP Set SSID List Missing Authentication Vulnerability. This vulnerability allows network-adjacent attackers to make unauthorized changes to device configuration on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DDP service. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to manipulate wireless authentication settings. Was ZDI-CAN-20104. D-Link Systems, Inc. of DAP-2622 Firmware has a lack of authentication vulnerability for critical functionality.Information is tampered with and service operation is interrupted (DoS) It may be in a state. D-Link DAP-2622 is a wireless access point device from D-Link, a Chinese company. No detailed vulnerability details are currently provided

Trust: 2.79

sources: NVD: CVE-2023-37325 // JVNDB: JVNDB-2023-029392 // ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-24417

AFFECTED PRODUCTS

vendor:	d link	model:	dap-2622	scope:	-	version:	-	Trust: 1.5
vendor:	dlink	model:	dap-2622	scope:	eq	version:	1.00	Trust: 1.0
vendor:	d link	model:	dap-2622	scope:	eq	version:	dap-2622 firmware 1.00	Trust: 0.8
vendor:	d link	model:	dap-2622	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dap-2622	scope:	eq	version:	*	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // JVNDB: JVNDB-2023-029392 // NVD: CVE-2023-37325

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-37325
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2023-029392
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2023-37325
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2024-24417
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-24417
severity:	MEDIUM
baseScore:	4.8
vectorString:	AV:A/AC:L/AU:N/C:N/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-37325
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 1.0
OTHER:	JVNDB-2023-029392
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2023-37325
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // JVNDB: JVNDB-2023-029392 // NVD: CVE-2023-37325

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-029392 // NVD: CVE-2023-37325

PATCH

title:	D-Link has issued an update to correct this vulnerability.	url:	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349	Trust: 0.7
title:	Patch for D-Link DAP-2622 has an unspecified vulnerability (CNVD-2024-24417)	url:	https://www.cnvd.org.cn/patchInfo/show/547376	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417

EXTERNAL IDS

db:	NVD	id:	CVE-2023-37325	Trust: 3.9
db:	ZDI	id:	ZDI-23-1280	Trust: 2.5
db:	DLINK	id:	SAP10349	Trust: 1.8
db:	JVNDB	id:	JVNDB-2023-029392	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-20104	Trust: 0.7
db:	CNVD	id:	CNVD-2024-24417	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // JVNDB: JVNDB-2023-029392 // NVD: CVE-2023-37325

REFERENCES

url:	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=sap10349	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-1280/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-37325	Trust: 1.4

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // JVNDB: JVNDB-2023-029392 // NVD: CVE-2023-37325

CREDITS

Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative

Trust: 0.7

sources: ZDI: ZDI-23-1280

SOURCES

db:	ZDI	id:	ZDI-23-1280
db:	CNVD	id:	CNVD-2024-24417
db:	JVNDB	id:	JVNDB-2023-029392
db:	NVD	id:	CVE-2023-37325

LAST UPDATE DATE

2025-08-09T22:53:50.150000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-1280	date:	2024-05-03T00:00:00
db:	CNVD	id:	CNVD-2024-24417	date:	2024-05-27T00:00:00
db:	JVNDB	id:	JVNDB-2023-029392	date:	2025-08-07T06:54:00
db:	NVD	id:	CVE-2023-37325	date:	2025-08-06T14:14:17.320

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-1280	date:	2023-08-25T00:00:00
db:	CNVD	id:	CNVD-2024-24417	date:	2024-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2023-029392	date:	2025-08-07T00:00:00
db:	NVD	id:	CVE-2023-37325	date:	2024-05-07T23:15:16.497