CVE-2023-30063

Vulnerability

The D-Link DIR-890L router running firmware version FW1.10 A1 contains an authentication bypass vulnerability in the phpcgi component. This component is responsible for processing requests to .php, .asp, and .txt pages, as well as checking user authorization. By crafting a specially designed request, an attacker can bypass the authorization checks entirely [1]. No special configuration beyond the default firmware is required for the vulnerable code path to be reachable.

Exploitation

An attacker does not need prior authentication or any special network position beyond being able to send HTTP requests to the router's management interface. By crafting a malicious request to the phpcgi handler, the authorization check is bypassed. The attacker can then execute script commands that return the router's login credentials (username and password) [1]. A proof-of-concept exploit script (phpcgi.py) is publicly available [1].

Impact

Successful exploitation allows an unauthenticated attacker to retrieve the router's administrative credentials. This results in a complete compromise of the router's configuration interface, leading to full disclosure of sensitive information (e.g., Wi-Fi passwords, network settings) and potential further attacks on the network [1]. The attacker gains administrative-level access to the device.

Mitigation

D-Link has not released a firmware update for this vulnerability, and the DIR-890L is likely an end-of-life (EOL) product. As of the publication date, no fix is available [2]. Users should consider replacing the router with a supported model that receives security updates. If replacement is not possible, restrict remote administration access and ensure the management interface is not exposed to the internet.