Cyber Resilience

CVE-2022-28915

CriticalPublic PoCRCE

Published: 10 May 2022

Published
10 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2861 96.6th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28915 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

D-Link DIR-816 A2_v1.10CNB04 contains an OS command injection vulnerability (CWE-78) in the web management interface at /goform/setSysAdm, where the admuser and admpass parameters are processed without adequate sanitization. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted values to these parameters and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the router, enabling actions such as configuration changes, traffic interception, or use of the device as a pivot into the local network.

Public references include a D-Link security bulletin page and a GitHub repository that documents the affected endpoint and proof-of-concept input. The EPSS score rose from a low baseline to a peak of 0.3342, indicating that exploitation interest increased after disclosure and that the issue merits renewed attention from defenders.

EU & UK References

Vulnerability details

D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a command injection vulnerability via the admuser and admpass parameters in /goform/setSysAdm.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-816 firmware
1.10cnb04

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References