VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 31, 2022· Updated Aug 3, 2024

CVE-2022-37130

CVE-2022-37130

Description

In D-Link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulting in a command injection vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A command injection vulnerability in D-Link DIR-816 A2 v1.10CNB04 and DIR-878 FW1.30B08 allows remote attackers to execute arbitrary commands via the /goform/Diagnosis endpoint.

Vulnerability

A command injection vulnerability exists in the /goform/Diagnosis endpoint of D-Link DIR-816 A2 firmware v1.10CNB04 and DIR-878 firmware v1.30B08. When doType is 9 and pingAddr is not 0.0.0.0, the trHops parameter is concatenated into a system command via snprintf without proper sanitization, leading to command injection [1][2]. The affected firmware versions are DIR-816 A2_v1.10CNB04 and DIR-878_FW1.30B08.img [2].

Exploitation

An attacker needs network access to the router's web interface and must obtain a valid tokenid (which can be retrieved by requesting /dir_login.asp and parsing the response). The attacker then sends an HTTP POST request to /goform/Diagnosis with doType=9, a valid pingAddr (e.g., 192.168.0.1), and the trHops parameter containing shell metacharacters (e.g., backticks) enclosing arbitrary commands. The payload is executed with root privileges [1][2]. Public proof-of-concept code demonstrates the injection by causing a router reboot using the command reboot [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands as root on the affected D-Link router. This results in full compromise of the device, including the ability to modify configuration, intercept network traffic, launch further attacks, or render the device inoperable [1][2]. The CIA impact is complete loss of confidentiality, integrity, and availability.

Mitigation

As of the reference publication dates, no official patch or firmware update has been released by D-Link for either the DIR-816 or DIR-878 [1][3]. The vendor's security bulletin page does not list this vulnerability as addressed [3]. Users should monitor D-Link's security advisories for future updates. As a workaround, restrict network access to the router's management interface and disable remote administration if possible. The devices may be approaching or past end-of-life (EOL); consult D-Link's EOL policy for support status [3]. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. VulIoT/D-Link/DIR-816 A2_v1.10CNB05/Diagnosis at main · 726232111/VulIoT
  2. IOT_Vul/dlink/Dir816/Diagnosis/readme.md at main · z1r00/IOT_Vul
  3. Security Bulletin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Dlink/DIR-816cpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: A2_v1.10CNB04
  • Dlink/DIR878llm-fuzzy
    Range: FW1.30B08

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the `/goform/Diagnosis` handler allows attacker-controlled input to be spliced into a command string executed by `system()`."

Attack vector

An unauthenticated attacker on the same LAN can send a POST request to `/goform/Diagnosis` with `doType=9`, a valid `pingAddr`, and a malicious `trHops` (or `sendNum`) parameter containing shell metacharacters such as backticks [ref_id=1][ref_id=2]. The attacker first obtains a valid `tokenid` by scraping the login page at `/dir_login.asp` [ref_id=1][ref_id=2]. The unsanitized user input is concatenated into a command string and executed by `system()`, allowing arbitrary command injection [CWE-77].

Affected code

The vulnerability resides in the `/goform/Diagnosis` handler of the D-Link DIR-816 A2 firmware (v1.10CNB04 and v1.10CNB05) [ref_id=1][ref_id=2]. When `doType` is 9 and `pingAddr` is not `0.0.0.0`, the `trHops` (or `sendNum`) parameter is spliced into a buffer via `snprintf` and then passed to `system()` [ref_id=1][ref_id=2].

What the fix does

No patch is provided in the bundle. Both reference write-ups identify the root cause as unsanitized user input being concatenated into a command string via `snprintf` and executed by `system()` [ref_id=1][ref_id=2]. The remediation would require validating or sanitizing the `trHops`/`sendNum` parameter to reject shell metacharacters, or replacing the `system()` call with a safer API that does not invoke a shell interpreter.

Preconditions

  • networkAttacker must be on the same LAN as the router (192.168.0.0/24)
  • inputAttacker must obtain a valid tokenid from /dir_login.asp

Reproduction

1. Obtain a valid token ID: `curl http://192.168.0.1/dir_login.asp | grep tokenid` [ref_id=1][ref_id=2]. 2. Send the malicious POST request: `curl -i -X POST http://192.168.0.1/goform/Diagnosis -d tokenid=xxxx -d 'pingAddr=192.168.0.1' -d 'sendNum=`reboot`'` [ref_id=2]. Alternatively, use the Python PoC with `trHops` set to `` `reboot` `` [ref_id=1]. 3. The router will reboot, confirming command injection [ref_id=1][ref_id=2].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.