CVE-2022-26258
Published: 28 March 2022
Summary
CVE-2022-26258 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-820L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
D-Link DIR-820L firmware version 1.05B03 contains a remote command execution vulnerability that stems from improper handling of HTTP POST requests to the get set ccp endpoint. The flaw is tracked as CVE-2022-26258 with a CVSS 3.1 score of 9.8 and is classified under CWE-78, indicating OS command injection.
An unauthenticated attacker with network access can submit a crafted POST request to execute arbitrary commands on the device. Successful exploitation grants full control over the router, allowing confidentiality, integrity, and availability impacts without requiring user interaction or credentials.
Public references include D-Link's security bulletin page along with proof-of-concept details hosted on GitHub that demonstrate the request format needed for exploitation. The associated EPSS score currently stands at 0.8716 with a recorded peak of 0.8834.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30821
Vulnerability details
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
- CWE(s)
- KEV Date Added
- 08 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of HTTP POST input to the get set ccp endpoint, blocking the OS command injection (CWE-78) that enables unauthenticated RCE.
Enforces authentication and authorization checks before any request to the management interface is processed, eliminating the unauthenticated access path used by this CVE.
Restricts network exposure of the device's web management endpoint, limiting the attack surface for remote unauthenticated command execution over HTTP.