Cyber Resilience

CVE-2022-37128

CriticalPublic PoC

Published: 31 August 2022

Published
31 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0138 80.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37128 is a critical-severity Improper Initialization (CWE-665) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-37128 is an improper initialization vulnerability in the D-Link DIR-816 router running firmware A2_v1.10CNB04.img. The flaw resides in the /goform/wizard_end endpoint, which permits network initialization without any authentication, allowing remote configuration of the device over the network. It carries a CVSS 3.1 score of 9.8 and is associated with CWE-665.

An unauthenticated attacker with network access can invoke the wizard endpoint to complete initial setup, thereby gaining the ability to configure or take control of the router and its connected network with full impact on confidentiality, integrity, and availability.

D-Link references its security bulletin page for the affected product line, while public analysis on GitHub details the endpoint behavior. The associated EPSS score rose from a low baseline to a peak of 0.0692 on 2025-12-11 before receding to the current value of 0.0138, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

In D-Link DIR-816 A2_v1.10CNB04.img the network can be initialized without authentication via /goform/wizard_end.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-816 firmware
1.10cnb04

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

References