CVE-2018-6530
Published: 06 March 2018
Summary
CVE-2018-6530 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-860L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-6530 is an OS command injection vulnerability (CWE-78) residing in the soap.cgi component, specifically the soapcgi_main function, across multiple D-Link wireless router models. Affected devices include the DIR-880L (versions up to REVA_FIRMWARE_PATCH_1.08B04), DIR-868L (up to DIR868LA1_FW112b04), DIR-865L (up to REVA_FIRMWARE_PATCH_1.08.B01), and DIR-860L (up to DIR860LA1_FW110b04). The flaw permits arbitrary operating system command execution when an attacker supplies crafted input to the service parameter.
Unauthenticated remote attackers can exploit the issue over the network by sending a malicious SOAP request to the affected CGI endpoint. Successful exploitation grants the ability to run arbitrary commands on the device with the privileges of the web server process, potentially leading to full device compromise including configuration changes, persistent access, or use as an attack pivot.
Vendor advisories published by D-Link provide firmware patch notes for each model that address the vulnerability through updated releases, such as version 1.11B01 for the DIR-860L, 1.20B01 for the DIR-868L, 1.10B01 for the DIR-865L, and 1.08B06 for the DIR-880L. A public proof-of-concept repository demonstrates exploitation of the SOAP protocol flaw across the listed devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-18282
Vulnerability details
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands…
more
via the service parameter.
- CWE(s)
- KEV Date Added
- 08 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the service parameter in soap.cgi to block OS command injection payloads.
Enforces access control on the unauthenticated SOAP/CGI endpoint so that only authorized subjects can invoke soapcgi_main.
Mandates timely application of the vendor firmware patches (e.g., 1.08B06, 1.11B01) that eliminate the command-injection flaw.