CVE-2022-46641
Published: 23 December 2022
Summary
CVE-2022-46641 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dir-846 Firmware. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
D-Link DIR-846 firmware version A1_FW100A43 contains a command injection vulnerability in the SetIpMacBindSettings function, specifically triggered through the lan(0)_dhcps_staticlist parameter. The flaw is tracked as CVE-2022-46641 with a CVSS 3.1 score of 9.9 and is classified under CWE-77.
An attacker with low-privilege network access can supply crafted input to the affected parameter and execute arbitrary commands on the device. Successful exploitation grants full control over confidentiality, integrity, and availability with a changed security scope, allowing the attacker to compromise the router and any connected network resources.
Public references point to a detailed vulnerability report on GitHub and D-Link's security bulletin page, though no specific patch or mitigation steps are described in the available information. The EPSS score has remained flat at 0.0693 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-49445
Vulnerability details
D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the lan(0)_dhcps_staticlist parameter in the SetIpMacBindSettings function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.