CVE-2024-33113 is a vulnerability identified in the D-LINK DIR-845L router firmware versions up to 1.01KRb03. The issue resides in the bsc_sms_inbox.php component, which is vulnerable to information disclosure attacks. The vulnerability is linked to CWE-79 (Cross-site Scripting) and CWE-77 (Command Injection), indicating that the affected script may improperly handle user input, allowing an attacker to inject malicious commands or scripts. This can lead to unauthorized disclosure of sensitive information stored or processed by the router, potentially including SMS inbox data or other configuration details. The CVSS 3.1 base score is 5.3, reflecting a medium severity with an attack vector of local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality, integrity, and availability at a low level (C:L/I:L/A:L). No patches or known exploits are currently available, but the vulnerability poses a risk to environments where attackers can gain local or network access to the router's management interface. The vulnerability could be exploited to gather intelligence or prepare for further attacks, especially in environments where these routers are widely deployed.

The primary impact of CVE-2024-33113 is unauthorized information disclosure, which can compromise the confidentiality of data managed by the affected router, such as SMS messages or configuration details. Although the integrity and availability impacts are rated low, attackers could leverage disclosed information to facilitate further attacks, including command injection or privilege escalation. The requirement for local access and low privileges limits the attack surface to internal networks or compromised hosts. Organizations relying on D-LINK DIR-845L routers may face risks of data leakage and potential lateral movement within their networks. This can be particularly concerning in sensitive environments such as small to medium enterprises, home offices, or regions where this router model is prevalent. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop exploit code. The medium severity rating suggests moderate urgency in remediation to prevent exploitation and protect network confidentiality.

To mitigate CVE-2024-33113, organizations should first restrict access to the router's management interfaces to trusted personnel and networks only, ideally via network segmentation and firewall rules. Disable any unnecessary services or interfaces that expose the vulnerable bsc_sms_inbox.php script. Monitor network traffic for unusual activity targeting the router's web interface. Since no official patches are currently available, consider upgrading to newer firmware versions once released by D-LINK that address this vulnerability. If firmware updates are delayed, consider replacing affected devices with models that have no known vulnerabilities. Implement strong authentication and change default credentials to reduce the risk of unauthorized local access. Regularly audit router configurations and logs for signs of exploitation attempts. Educate users about the risks of local network attacks and enforce endpoint security to prevent attackers from gaining initial footholds.