Cyber Resilience

CVE-2022-50596

CriticalPublic PoCRCE

Published: 06 November 2025

Published
06 November 2025
Modified
28 November 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0634 91.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-50596 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-1260 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-50596 is a command injection vulnerability (CWE-78) in D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05. The issue exists within the web management interface, specifically in the SetDest/Dest/Target arguments to the GetDeviceSettings form. This flaw enables unauthenticated attackers to execute arbitrary commands on the device with root privileges. The management interface is accessible over HTTP and HTTPS on local and Wi-Fi networks and optionally from the Internet, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers able to reach the exposed web management interface can exploit the vulnerability to achieve remote code execution as root on the router. Exploitation requires no privileges, user interaction, or special conditions beyond network access, making it highly practical for remote attackers if the interface faces the Internet or for local/Wi-Fi adversaries.

Advisories provide mitigation guidance, including D-Link's support announcement SAP10298 at https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10298. Additional details on the vulnerability and remediation are available from Exodus Intelligence at https://blog.exodusintel.com/2022/05/11/d-link-dir-1260-getdevicesettings-pre-auth-command-injection-vulnerability/ and VulnCheck at https://www.vulncheck.com/advisories/dlink-dir1260-getdevicesettings-unauthenticated-command-injection.

EU & UK References

Vulnerability details

D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists…

more

within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated command injection in the exposed web management interface of the router enables remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25895Same vendor: Dlink
CVE-2025-9727Same vendor: Dlink
CVE-2018-25115Same vendor: Dlink
CVE-2013-10048Same vendor: Dlink
CVE-2018-25120Same vendor: Dlink
CVE-2013-10069Same vendor: Dlink
CVE-2025-25894Same vendor: Dlink
CVE-2013-10050Same vendor: Dlink
CVE-2025-70231Same vendor: Dlink
CVE-2026-8346Same vendor: Dlink

Affected Assets

dlink
dir-1260 firmware
≤ 1.20b05

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing the SetDest/Dest/Target arguments in the GetDeviceSettings web form.

prevent

Limits permitted actions without identification or authentication, prohibiting unauthenticated access to the vulnerable web management interface functions.

prevent

Remediates the specific command injection flaw through timely application of firmware patches as per D-Link advisory SAP10298.

References