CVE-2022-37130
Published: 31 August 2022
Summary
CVE-2022-37130 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-37130 is a command-injection vulnerability (CWE-78) affecting the D-Link DIR-816 A2_v1.10CNB04 and DIR-878 DIR_878_FW1.30B08.img firmware. The flaw occurs in the /goform/Diagnosis handler: once a condition is satisfied, the setnum parameter is concatenated via snprintf into a buffer (v10) that is later passed directly to the system() call, allowing arbitrary operating-system commands to be executed.
An unauthenticated attacker can exploit the issue remotely over the network by submitting a crafted HTTP request to the Diagnosis endpoint. Successful exploitation yields full control of the device, including the ability to read or modify configuration, exfiltrate data, or pivot within the local network, consistent with the CVSS 9.8 rating.
Public references include proof-of-concept code on GitHub and a D-Link security bulletin page; the latter provides the vendor’s general guidance for affected routers, while the EPSS score has remained at 0.3029.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39783
Vulnerability details
In D-Link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulting in a command injection vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.