CVE-2017-8408
CVE-2017-8408 is a critical-severity vulnerability in Dlink Dcs-1130 Firmware with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-77.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 5% (91st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-77
- Affected product: Dlink Dcs-1130 Firmware
- Published:
- Last modified:
Description
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "cgibox" is the one that has the vulnerable function "sub_7EAFC" that receives the values sent by the GET request. If we open this binary in IDA-pro we will notice that this follows a ARM little endian format. The function sub_7EAFC in IDA pro is identified to be receiving the values sent in the GET request and the value set in GET parameter "user" is extracted in function sub_7E49C which is then passed to the vulnerable system API call.
Frequently asked questions
- What is CVE-2017-8408?
- An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "cgibox" is the one that has the vulnerable function "sub_7EAFC" that receives the values sent by the GET request. If we open this binary in IDA-pro we will notice that this follows a ARM little endian format. The function sub_7EAFC in IDA pro is identified to be receiving the values sent in the GET request and the value set in GET parameter "user" is extracted in function sub_7E49C which is then passed to the vulnerable system API call.
- How severe is CVE-2017-8408?
- CVE-2017-8408 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-8408 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 5% (91st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-8408?
- CVE-2017-8408 affects Dlink Dcs-1130 Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-8408?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2017-8408 published?
- CVE-2017-8408 was published on 2019-07-02 and last updated on 2026-06-17.
References
- https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf
- https://seclists.org/bugtraq/2019/Jun/8
Affected products (1)
- cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Dlink Dcs-1130 Firmware
- CVE-2013-1599 — Critical (CVSS 9.8): A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430…
- CVE-2017-8415 — Critical (CVSS 9.8): An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the…
- CVE-2017-8410 — Critical (CVSS 9.8): An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles…
- CVE-2017-8404 — Critical (CVSS 9.8): An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB…
- CVE-2017-8417 — High (CVSS 8.8): An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the…
- CVE-2017-8416 — High (CVSS 8.8): An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which…
All CVEs affecting Dlink Dcs-1130 Firmware →
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2025-10035 — Critical (CVSS 10.0): A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged…