D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D-View is a network management suite developed by the Taiwanese networking solutions vendor D-Link, used by businesses of all sizes for monitoring performance, controlling device configurations, creating network maps, and generally making network management and administration more efficient and less time-consuming.
Security researchers participating in Trend Micro’s Zero Day Initiative discovered six flaws impacting D-View late last year and reported them to the vendor on December 23, 2022.
The first flaw is tracked as CVE-2023-32165 and is a remote code execution flaw arising from the lack of proper validation of a user-supplied path before using it in file operations.
The second critical flaw has received the identifier CVE-2023-32169 and is an authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software.
D-Link has released an advisory on all six flaws reported by the ZDI, which impact D-View 8 version 2.0.1.27 and below, urging admins to upgrade to the fixed version, 2.0.1.28, released on May 17, 2023.