CVE-2022-37056

Vulnerability

A command injection vulnerability exists in the D-Link GO-RT-AC750 router, affecting firmware versions GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 [1]. The flaw resides in the /cgibin handler for the hnap_main function, allowing an unauthenticated attacker to inject arbitrary operating system commands [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the /cgibin endpoint with malicious input appended to the hnap_main parameter [1]. No authentication is required, and the attacker only needs network access to the affected router [1][2].

Impact

Successful exploitation grants the attacker remote code execution (RCE) with root privileges on the device [1]. This leads to full compromise of the router, including the ability to intercept network traffic, modify configuration, and pivot to internal networks [1].

Mitigation

No firmware fix is available. The D-Link GO-RT-AC750 reached End-of-Life (EOL) on 2020-02-29, and D-Link recommends replacing the device with a supported model [1]. As of the advisory publication (2022-09-13), no workaround is provided [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update [1].