CVE-2018-19986
Description
In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the telnetd string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in D-Link DIR-818LW and DIR-822 routers via the RemotePort parameter in /HNAP1/SetRouterSettings allows unauthenticated remote code execution.
Vulnerability
The /HNAP1/SetRouterSettings SOAP endpoint in D-Link DIR-818LW Rev.A firmware version 2.05.B03 and DIR-822 B1 firmware version 202KRb06 does not sanitize the RemotePort parameter before storing it in internal configuration memory ($path_inf_wan1."/web"). Subsequently, the IPTWAN_build_command function in iptwan.php uses this stored value in an iptables command without any input validation, allowing shell metacharacters to be injected [1].
Exploitation
An unauthenticated attacker can send a crafted SOAP XML message to the /HNAP1/SetRouterSettings endpoint with shell metacharacters in the RemotePort element. For example, setting RemotePort to ` telnetd will cause the router to execute the telnetd` command when the iptables rule is built. No authentication or prior access is required; the HNAP service is typically exposed on the LAN interface [1].
Impact
Successful exploitation allows arbitrary command execution with root privileges on the affected router. The attacker can start a telnet server, modify firewall rules, exfiltrate data, or install persistent malware. The compromise is complete and can lead to full device takeover [1].
Mitigation
As of the publication date (2019-05-13), no official firmware update or patch has been released by D-Link for the affected models. Users should disable remote management and restrict access to the HNAP service via firewall rules if possible. If the device is no longer supported, replacement with a supported model is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DIR-818LW Rev.Adescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the RemotePort parameter allows shell metacharacters to be injected into an iptables command."
Attack vector
An attacker sends a crafted SOAP XML message to the `/HNAP1/SetRouterSettings` endpoint. The `RemotePort` element in the XML body contains shell metacharacters, such as backticks enclosing a command like `` `telnetd` `` [ref_id=1]. Because the device stores this value without sanitization and later interpolates it into an `iptables` shell command, the embedded shell metacharacters are executed with root privileges. The attacker must have network access to the router's HNAP SOAP interface, which is typically exposed on the LAN side and often on the WAN side as well.
Affected code
The vulnerability resides in two PHP source files on the affected D-Link devices. In `SetRouterSettings.php`, the `RemotePort` element from the `/HNAP1/SetRouterSettings` SOAP message is saved into the internal configuration variable `$path_inf_wan1."/web"` without any input validation. Subsequently, in the `IPTWAN_build_command` function of `iptwan.php`, the value stored in `$path_inf_wan1."/web"` is used directly in an `iptables` command without any regex checking [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix commit or vendor advisory. To remediate the vulnerability, the vendor would need to add strict input validation (e.g., regex checking) on the `RemotePort` parameter in `SetRouterSettings.php` before storing it, and ensure that the value is safely escaped or validated again before being used in the `iptables` command within `iptwan.php`. Without such validation, any shell metacharacters in the input lead to OS command injection.
Preconditions
- networkAttacker must have network access to the router's HNAP SOAP interface (typically port 80 or 8080 on the LAN side, and often exposed on the WAN side).
- configThe device must be running one of the affected firmware versions: DIR-818LW Rev.A 2.05.B03 or DIR-822 B1 202KRb06.
- authNo authentication is mentioned as a prerequisite; the advisory implies the HNAP endpoint is accessible without prior login.
Reproduction
Send the following SOAP XML to the `/HNAP1/SetRouterSettings` endpoint of an affected device (e.g., `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.