CVE-2019-13482

Vulnerability

A command injection vulnerability exists in the SetWanSettings action of the HNAP1 interface on D-Link DIR-818LW devices running firmware version 2.06betab01. The Type field is not sanitized before being passed to a system shell, allowing authenticated users to inject arbitrary OS commands via shell metacharacters. The vulnerability is reachable when an attacker has valid authentication credentials for the device's web interface [1].

Exploitation

An attacker must first authenticate to the HNAP1 interface using valid credentials. Once authenticated, a crafted SOAP request to SetWanSettings with a malicious payload in the Type field (e.g., containing semicolons or backticks) can be sent. The device will then execute the injected commands as part of the system call made by the HNAP handler [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of the affected router. This includes the ability to read or modify sensitive configuration, install malware, or disrupt network operations [1].

Mitigation

As of the publication date (2019-07-10), no fixed firmware version has been released by D-Link. Users should restrict access to the management interface to trusted networks only and consider replacing the device if it is no longer supported. No workaround beyond network-level access controls is available [1].