Cyber Resilience

CVE-2018-6530

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 06 March 2018

Published
06 March 2018
Modified
07 November 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9421 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-6530 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-860L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-6530 is an OS command injection vulnerability (CWE-78) residing in the soap.cgi component, specifically the soapcgi_main function, across multiple D-Link wireless router models. Affected devices include the DIR-880L (versions up to REVA_FIRMWARE_PATCH_1.08B04), DIR-868L (up to DIR868LA1_FW112b04), DIR-865L (up to REVA_FIRMWARE_PATCH_1.08.B01), and DIR-860L (up to DIR860LA1_FW110b04). The flaw permits arbitrary operating system command execution when an attacker supplies crafted input to the service parameter.

Unauthenticated remote attackers can exploit the issue over the network by sending a malicious SOAP request to the affected CGI endpoint. Successful exploitation grants the ability to run arbitrary commands on the device with the privileges of the web server process, potentially leading to full device compromise including configuration changes, persistent access, or use as an attack pivot.

Vendor advisories published by D-Link provide firmware patch notes for each model that address the vulnerability through updated releases, such as version 1.11B01 for the DIR-860L, 1.20B01 for the DIR-868L, 1.10B01 for the DIR-865L, and 1.08B06 for the DIR-880L. A public proof-of-concept repository demonstrates exploitation of the SOAP protocol flaw across the listed devices.

EU & UK References

Vulnerability details

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands…

more

via the service parameter.

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-860l firmware
≤ 1.10b04
dlink
dir-865l firmware
≤ 1.08b01
dlink
dir-868l firmware
≤ 1.12b04
dlink
dir-880l firmware
≤ 1.08b04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the service parameter in soap.cgi to block OS command injection payloads.

prevent

Enforces access control on the unauthenticated SOAP/CGI endpoint so that only authorized subjects can invoke soapcgi_main.

prevent

Mandates timely application of the vendor firmware patches (e.g., 1.08B06, 1.11B01) that eliminate the command-injection flaw.

References