Cyber Resilience

CVE-2022-26258

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 28 March 2022

Published
28 March 2022
Modified
03 November 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8716 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26258 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-820L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

D-Link DIR-820L firmware version 1.05B03 contains a remote command execution vulnerability that stems from improper handling of HTTP POST requests to the get set ccp endpoint. The flaw is tracked as CVE-2022-26258 with a CVSS 3.1 score of 9.8 and is classified under CWE-78, indicating OS command injection.

An unauthenticated attacker with network access can submit a crafted POST request to execute arbitrary commands on the device. Successful exploitation grants full control over the router, allowing confidentiality, integrity, and availability impacts without requiring user interaction or credentials.

Public references include D-Link's security bulletin page along with proof-of-concept details hosted on GitHub that demonstrate the request format needed for exploitation. The associated EPSS score currently stands at 0.8716 with a recorded peak of 0.8834.

EU & UK References

Vulnerability details

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-820l firmware
1.05b03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of HTTP POST input to the get set ccp endpoint, blocking the OS command injection (CWE-78) that enables unauthenticated RCE.

prevent

Enforces authentication and authorization checks before any request to the management interface is processed, eliminating the unauthenticated access path used by this CVE.

prevent

Restricts network exposure of the device's web management endpoint, limiting the attack surface for remote unauthenticated command execution over HTTP.

References