Advisory Details

January 11th, 2024

D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability

ZDI-24-049
ZDI-CAN-21492

CVE ID CVE-2023-51629
CVSS SCORE 6.3, AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AFFECTED VENDORS D-Link
AFFECTED PRODUCTS DCS-8300LHV2
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the configuration of the ONVIF API. The issue results from the use of a hardcoded PIN. An attacker can leverage this vulnerability to bypass authentication on the system.

ADDITIONAL DETAILS D-Link has issued an update to correct this vulnerability. More details can be found at:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370
DISCLOSURE TIMELINE
  • 2023-07-14 - Vulnerability reported to vendor
  • 2024-01-11 - Coordinated public release of advisory
  • 2024-07-01 - Advisory Updated
CREDIT Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
BACK TO ADVISORIES