Overview

On July 22, 2025, third-party security researcher reported multiple vulnerabilities in the D-Link D-View 8.0 Network Device Management platform.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

Report Information  

         - Report #1 - CVE-2026-23754 : Link : by Kazuma Matsumoto, Security Researcher at GMO Cybersecurity by IERAE, Inc.

                                      - Vulcheck - Disclosure - Link - CVSS V4 Vector - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

                                       Details : CWE-639: Authorization Bypass Through User-Controlled Key

                                       D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account.

                           - Remediation See Below This is a licensed software. License is purchased seperatedly. The link below will does have a trial verison that will run for a limited time. Contact D-Link for Licenses or license information.       

         - Report #2 - CVE-2026-23755 : Link : by Kazuma Matsumoto, Security Researcher at GMO Cybersecurity by IERAE, Inc.

                                    - Vulcheck - Disclosure - Link - CVSS V4 Vector - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

                                    Details : CWE-427 Uncontrolled Search Path Element

                                    D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges.

                          - Remediation See Below This is a licensed software. License is purchased seperatedly. The link below will does have a trial verison that will run for a limited time. Contact D-Link for Licenses or license information.       

Affected Models

Regarding the Security Update for Your D-Link Device

Installing firmware updates is a critical step in addressing security vulnerabilities in your D-Link devices. D-Link strongly urges all users to install the relevant updates and regularly check for further updates. After downloading the firmware update, it is essential to ALWAYS validate its success by comparing the firmware version on your product interface to the firmware update version.

Please note that beta software, beta firmware, or a hot-fix release is still undergoing rigorous testing before its official release. This ensures that the software is of the highest quality and meets our stringent standards. However, it is essential to understand that the user assumes all risk and liability for its use. D-Link does not provide any express or implied warranties regarding the suitability or usability of the beta software, beta firmware, or hot-fix release. D-Link will not be liable for any direct, indirect, special, or consequential loss suffered by any party due to their use of the beta firmware, beta software, or hit-fix release.

NOTE: Our products have different hardware revisions, so please check your device’s hardware revision before downloading the corresponding firmware update. The hardware revision can be found on the product label next to the serial number or on the device's web interface.