CVE-2024-57684

CVE-2024-57684 is an access control vulnerability (CWE-276) affecting the formDMZ.cgi component in D-Link DIR-816A2 firmware version 1.10CNB05_R1B011D88210. Published on January 16, 2025, it enables unauthenticated attackers to configure the device's DMZ service by sending a crafted POST request. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By targeting the formDMZ.cgi endpoint, they can arbitrarily set the DMZ service configuration, granting them unauthorized control over the router's exposure settings.

Advisories and mitigation guidance are available via the vendor's security bulletin at https://www.dlink.com/en/security-bulletin/ and a detailed disclosure including proof-of-concept at https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-816/formDMZ.md. Security practitioners should consult these resources for patching instructions or workarounds specific to affected D-Link DIR-816A2 devices.