Dlink Dsr-250N Firmware vulnerabilities

11 known vulnerabilities affecting dlink/dsr-250n_firmware.

Total CVEs

11

CISA KEV

0

Public exploits

2

Exploited in wild

0

Severity breakdown

CRITICAL2HIGH7MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2024-57376HIGHCVSS 8.8≥ 3.13, ≤ 3.17B901C2025-01-28

CVE-2024-57376 [HIGH] CWE-120 CVE-2024-57376: Buffer Overflow vulnerability in D-Link DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, DSR-1000N fr Buffer Overflow vulnerability in D-Link DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, DSR-1000N from 3.13 to 3.17B901C allows unauthenticated users to execute remote code execution.

CVE-2020-25758HIGHCVSS 8.8≤ 3.172020-12-15

CVE-2020-25758 [HIGH] CWE-354 CVE-2020-25758: An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration fil An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root.

CVE-2020-25757HIGHCVSS 8.8≤ 3.172020-12-15

CVE-2020-25757 [HIGH] CWE-20 CVE-2020-25757: A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in a A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.

CVE-2020-25759HIGHCVSS 8.8≤ 3.172020-12-15

CVE-2020-25759 [HIGH] CWE-20 CVE-2020-25759: An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Service An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests.

CVE-2020-26567MEDIUMCVSS 5.5PoCfixed in 3.17b2020-10-08

CVE-2020-26567 [MEDIUM] CWE-306 CVE-2020-26567: An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot. An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore unusable for several minutes.

CVE-2012-6614HIGHCVSS 7.2fixed in 1.08b312020-02-19

CVE-2012-6614 [HIGH] CWE-862 CVE-2012-6614: D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root a D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.

CVE-2013-5945CRITICALCVSS 9.8PoCfixed in 1.08b442020-02-11

CVE-2013-5945 [CRITICAL] CWE-89 CVE-2013-5945: Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenti

CVE-2012-6613HIGHCVSS 7.2v1.05b73_ww2020-01-25

CVE-2012-6613 [HIGH] CVE-2012-6613: D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin p D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.

CVE-2013-5946CRITICALCVSS 10.0≤ 1.08b39v1.01b46+4 more2013-12-19

CVE-2013-5946 [CRITICAL] CWE-78 CVE-2013-5946: The runShellCmd function in systemCheck.htm in D-Link DSR-150 with firmware before 1.08B44; DSR-150N The runShellCmd function in systemCheck.htm in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "Pin

CVE-2013-7004HIGHCVSS 7.8≤ 1.08b39v1.01b46+4 more2013-12-19

CVE-2013-7004 [HIGH] CWE-255 CVE-2013-7004: D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR- D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 have a hardcoded account of username gkJ9232xXyruTRmY, which makes it easier for remote attackers to obtain access by leveraging knowledge of th

CVE-2013-7005MEDIUMCVSS 4.9≤ 1.08b39v1.01b46+4 more2013-12-19

CVE-2013-7005 [MEDIUM] CWE-200 CVE-2013-7005: D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR- D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in