CVE-2022-50596
Published: 06 November 2025
Summary
CVE-2022-50596 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-1260 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing the SetDest/Dest/Target arguments in the GetDeviceSettings web form.
Limits permitted actions without identification or authentication, prohibiting unauthenticated access to the vulnerable web management interface functions.
Remediates the specific command injection flaw through timely application of firmware patches as per D-Link advisory SAP10298.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in the exposed web management interface of the router enables remote code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists…
more
within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet.
Deeper analysisAI
CVE-2022-50596 is a command injection vulnerability (CWE-78) in D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05. The issue exists within the web management interface, specifically in the SetDest/Dest/Target arguments to the GetDeviceSettings form. This flaw enables unauthenticated attackers to execute arbitrary commands on the device with root privileges. The management interface is accessible over HTTP and HTTPS on local and Wi-Fi networks and optionally from the Internet, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers able to reach the exposed web management interface can exploit the vulnerability to achieve remote code execution as root on the router. Exploitation requires no privileges, user interaction, or special conditions beyond network access, making it highly practical for remote attackers if the interface faces the Internet or for local/Wi-Fi adversaries.
Advisories provide mitigation guidance, including D-Link's support announcement SAP10298 at https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10298. Additional details on the vulnerability and remediation are available from Exodus Intelligence at https://blog.exodusintel.com/2022/05/11/d-link-dir-1260-getdevicesettings-pre-auth-command-injection-vulnerability/ and VulnCheck at https://www.vulncheck.com/advisories/dlink-dir1260-getdevicesettings-unauthenticated-command-injection.
Details
- CWE(s)