CVE-2022-28896

Vulnerability

A command injection vulnerability exists in the /setnetworksettings/SubnetMask endpoint of the D-Link DIR-882 router running firmware version DIR882A1_FW130B06. The component fails to properly sanitize user-supplied input when setting the subnet mask, allowing an attacker to inject arbitrary operating system commands. The vulnerability is reachable through the web-based management interface.

Exploitation

An attacker with network access to the router's management interface can craft a malicious HTTP request to the /setnetworksettings/SubnetMask endpoint by including shell metacharacters in the SubnetMask parameter. The attacker does not require prior authentication if the management interface is exposed. The injected commands are executed with root privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This results in a complete compromise of the device's confidentiality, integrity, and availability.

Mitigation

D-Link has not released a firmware update addressing this vulnerability as of the publication date [1]. Users should restrict access to the management interface to trusted networks and disable remote administration if not required. The DIR-882 may be approaching end-of-life status; consult D-Link's support page for the latest information [1].