CVE-2022-43623

Vulnerability

A command injection vulnerability exists in the SetWebFilterSetting handler of the D-Link DIR-1935 router, firmware version 1.03 (build DIR1935A1_FW1.03B02_Beta_ipv6_default_gateway_20181224.bin). When processing a SetWebFilterSetting request to the web management portal, the WebFilterURLs parameter is parsed and passed unsanitised to a system call, allowing an attacker to inject arbitrary operating system commands. The vulnerability can be triggered without valid credentials because the authentication mechanism can be bypassed [1][2].

Exploitation

An attacker must be on the same local network (network-adjacent) and reach the router's web management portal. By sending a crafted SetWebFilterSetting request with a WebFilterURLs payload containing shell metacharacters, the attacker can inject commands that are executed by the underlying operating system with root privileges. No user interaction is required on the victim side. If authentication is enforced, it can be bypassed via an unrelated authentication bypass vulnerability (CVE-2022-43620) on the same device [1][2].

Impact

Successful exploitation results in arbitrary command execution in the context of root. This gives the attacker full control over the router, including the ability to modify configurations, intercept traffic, or use the device as a pivot for further attacks on the local network [1][2].

Mitigation

D-Link has released firmware version 1.03B02 to address this vulnerability and other issues disclosed in the same report. The patch was published as part of a security advisory in November 2022 [1]. Users should update to the latest available firmware on the D-Link support page. No workarounds have been provided by the vendor. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.