CVE-2019-12787

Vulnerability

The vulnerability exists in the HNAP1 SetWanSettings action on D-Link DIR-818LW devices with firmware versions from 2.05.B03 to 2.06B01 BETA. It is a command injection flaw triggered by an XML injection of the value of the Gateway key. The device fails to properly sanitize user-supplied input passed to the Gateway parameter in the SOAP request, allowing arbitrary command execution [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HNAP1 SOAP request to the target device with a malicious Gateway value containing shell metacharacters. The request targets the SetWanSettings method. The attack requires network access to the device, but no authentication is needed — the HNAP1 endpoint is exposed and reachable without credentials [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the affected D-Link DIR-818LW router. This can lead to full device compromise, including data exfiltration, installation of persistent malware, or use of the device as a pivot point in the network [1].

Mitigation

The vendor has not released a security advisory or firmware patch for this vulnerability as of the publication date. D-Link did not respond to disclosure attempts. Users are advised to isolate affected devices from the internet or replace them if they reach end-of-life. No workaround is available [1].