CVE-2024-5296 - Vulnerability Details - OpenCVE

D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
D-link	D-view
Dlink	D-view 8

Configuration 1 [-]

cpe:2.3:a:dlink:d-view_8:2.0.1.28:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-24-447/

History

Wed, 06 Aug 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink d-view 8
CPEs		cpe:2.3:a:dlink:d-view_8:2.0.1.28:::::::*
Vendors & Products		Dlink Dlink d-view 8

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-05-23T21:29:58.566Z

Updated: 2024-08-01T21:11:11.620Z

Reserved: 2024-05-23T21:28:51.883Z

Link: CVE-2024-5296

Vulnrichment

Updated: 2024-08-01T21:11:11.620Z

NVD

Status : Analyzed

Published: 2024-05-23T22:15:15.617

Modified: 2025-08-06T14:25:33.860

Link: CVE-2024-5296

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5296", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2024-05-23T21:28:51.883Z", "datePublished": "2024-05-23T21:29:58.566Z", "dateUpdated": "2024-08-01T21:11:11.620Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-23T21:29:58.566Z"}, "title": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability", "descriptions": [{"lang": "en", "value": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991."}], "affected": [{"vendor": "D-Link", "product": "D-View", "versions": [{"version": "2.0.1.28", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/", "name": "ZDI-24-447", "tags": ["x_research-advisory"]}], "dateAssigned": "2024-05-23T16:28:51.915-05:00", "datePublic": "2024-05-14T10:21:23.062-05:00", "source": {"lang": "en", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"affected": [{"vendor": "d-link", "product": "d-view", "cpes": ["cpe:2.3:a:d-link:d-view:2.0.1.28:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "2.0.1.28", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-24T13:11:43.781611Z", "id": "CVE-2024-5296", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T20:06:43.118Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:11.620Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/", "name": "ZDI-24-447", "tags": ["x_research-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/", "name": "ZDI-24-447", "tags": ["x_research-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:11.620Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-24T13:11:43.781611Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:d-link:d-view:2.0.1.28:*:*:*:*:*:*:*"], "vendor": "d-link", "product": "d-view", "versions": [{"status": "affected", "version": "2.0.1.28"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-24T13:15:07.356Z"}}], "cna": {"title": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability", "source": {"lang": "en", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "D-Link", "product": "D-View", "versions": [{"status": "affected", "version": "2.0.1.28"}], "defaultStatus": "unknown"}], "datePublic": "2024-05-14T10:21:23.062-05:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/", "name": "ZDI-24-447", "tags": ["x_research-advisory"]}], "dateAssigned": "2024-05-23T16:28:51.915-05:00", "descriptions": [{"lang": "en", "value": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-23T21:29:58.566Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5296", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:11.620Z", "dateReserved": "2024-05-23T21:28:51.883Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-05-23T21:29:58.566Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dlink:d-view_8:2.0.1.28:*:*:*:*:*:*:*", "matchCriteriaId": "1EA161F6-3740-4843-B4FA-E3CDC448E64C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n de clave criptogr\u00e1fica codificada mediante D-Link D-View. Esta vulnerabilidad permite a atacantes remotos eludir la autenticaci\u00f3n en las instalaciones afectadas de D-Link D-View. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro de la clase TokenUtils. El problema se debe a una clave criptogr\u00e1fica codificada. Un atacante puede aprovechar esta vulnerabilidad para eludir la autenticaci\u00f3n en el sistema. Era ZDI-CAN-21991."}], "id": "CVE-2024-5296", "lastModified": "2025-08-06T14:25:33.860", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2024-05-23T22:15:15.617", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}