CVE-2025-29514
D-Link · DSL-7740C
An incorrect access control vulnerability in the config.xgi function of D-Link DSL-7740C allows unauthenticated attackers to download sensitive configuration files via crafted web requests.
Executive summary
A critical access control vulnerability in D-Link DSL-7740C firmware permits unauthenticated attackers to exfiltrate sensitive configuration data, including potential credentials.
Vulnerability
The config.xgi function lacks proper authentication enforcement, enabling unauthenticated remote attackers to retrieve the device configuration file. This file often contains sensitive information required for further exploitation of the network.
Business impact
Successful exploitation allows an attacker to gain deep insight into the internal network configuration, including administrative credentials and connection settings. Given the 9.8 CVSS score, this represents a high-impact breach of confidentiality that could facilitate lateral movement and further compromise of the internal environment.
Remediation
Immediate Action: Verify if a firmware update is available from the vendor and apply it immediately to restrict unauthorized access to configuration endpoints.
Proactive Monitoring: Review web server access logs for repeated requests to the config.xgi endpoint originating from unauthorized sources.
Compensating Controls: Implement strict network access control lists (ACLs) to block external access to the device's management functions.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability presents a significant risk to sensitive information. Administrators must treat this as a high-priority item and ensure that the management interface of the DSL-7740C is not reachable from untrusted networks until a vendor-supplied patch is successfully deployed.