CVE-2022-28901

Vulnerability

A command injection vulnerability exists in the /SetTriggerLEDBlink/Blink component of D-Link DIR882 routers running firmware version DIR882A1_FW130B06. The affected endpoint fails to properly sanitize user-supplied input before incorporating it into a system command, allowing an attacker to inject arbitrary commands. No authentication is required to reach this endpoint.

Exploitation

An attacker with network access to the device can send a crafted HTTP request to the /SetTriggerLEDBlink/Blink endpoint with a malicious payload in the parameter that triggers the command injection. The attacker does not need any prior authentication or user interaction. The injected commands execute in the context of the web server, which typically runs with root privileges on this model [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges, leading to full compromise of the device. The attacker can read, modify, or delete sensitive data, install malware, or use the device as a pivot for further attacks on the network.

Mitigation

As of the publication date (2022-05-10), D-Link has not released a firmware update to address this vulnerability. Users should monitor D-Link's security bulletin page [1] for any future patches. If the device is no longer supported (end-of-life), consider replacing it with a model that receives security updates. As a workaround, restrict network access to the device's management interface to trusted hosts only.