Body Background
TrendAI™ Zero Day Initiative™ Logo

D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability

January 11th, 2024
ZDI-24-049 ZDI-CAN-21492

CVE ID

CVE-2023-51629

CVSS Score

6.3 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Vendors

D-Link

Affected Products

DCS-8300LHV2

Vulnerability Details

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the configuration of the ONVIF API. The issue results from the use of a hardcoded PIN. An attacker can leverage this vulnerability to bypass authentication on the system.

Additional Details

D-Link has issued an update to correct this vulnerability. More details can be found at:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370

Disclosure Timeline

  • 2023-07-14 - Vulnerability reported to vendor
  • 2024-01-11 - Coordinated public release of advisory
  • 2024-07-01 - Advisory Updated

Credit

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected