CVE-2019-10891
Description
Command injection in D-Link DIR-806 devices allows remote attackers to execute arbitrary shell commands via a specially crafted HTTP header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in D-Link DIR-806 devices allows remote attackers to execute arbitrary shell commands via a specially crafted HTTP header.
Vulnerability
A command injection vulnerability exists in the hnap_main function of D-Link DIR-806 devices. The function calls system() without validating user-controlled parameters, allowing remote attackers to inject arbitrary shell commands. All firmware versions for the DIR-806 are affected [1].
Exploitation
An attacker with network access to the device can exploit this vulnerability by sending a specially crafted HTTP header to the HNAP interface. No authentication is required. The attack does not require user interaction and can be executed remotely.
Impact
Successful exploitation grants the attacker arbitrary command execution on the device, likely with root privileges. This can lead to full device compromise, including data exfiltration, malware installation, or using the device as a pivot for further attacks.
Mitigation
No patch is available as D-Link has classified the DIR-806 as End of Life (EOL) and End of Service Life (EOS). D-Link recommends retiring and replacing affected devices [1]. Until replacement, users should isolate the device from untrusted networks and disable remote administration if possible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-806description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.