CVE-2022-28956

Vulnerability

The getcfg.php component in D-Link DIR816L firmware version DIR816L_FW206b01.bin fails to perform proper authentication checks. By sending a crafted payload containing a newline followed by AUTHORIZED_GROUP=1 (%0aAUTHORIZED_GROUP=1), an attacker can bypass the authentication mechanism. This issue exists in the getcfg.php endpoint of the firmware version DIR816L_FW206b01.bin [1].

Exploitation

An attacker needs network access to the affected device. No prior authentication is required. The exploit is performed by appending the string %0aAUTHORIZED_GROUP=1 to the request, which causes the device to treat the request as authorized. The proof-of-concept shows that without this payload, the device returns a "Not authorized" response; with the payload, access is granted [1].

Impact

Successful exploitation allows an unauthenticated attacker to bypass authentication and access the getcfg.php component, which may expose sensitive configuration data or enable further device compromise. The attacker gains unauthorized access to the device's web interface without valid credentials [1].

Mitigation

As of the publication date (2022-05-18), no official fix or patch has been publicly released by D-Link. The vendor's security bulletin page [2] does not list a specific advisory for this vulnerability at the time of writing. Users should consider isolating affected devices from untrusted networks and monitoring for future firmware updates. The device may also be approaching end-of-life (EOL) status.