VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 29, 2023· Updated Feb 14, 2025

CVE-2022-43631

CVE-2022-43631

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetVirtualServerSettings requests to the web management portal. When parsing subelements within the VirtualServerInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16151.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in D-Link DIR-1935 routers allows network-adjacent attackers to execute arbitrary code as root after authentication bypass.

Vulnerability

The vulnerability is a command injection in D-Link DIR-1935 routers (firmware version 1.03b02) within the SetVirtualServerSettings request handler. When parsing subelements of the VirtualServerInfo element, the software fails to validate a user-supplied string before using it in a system call, allowing injection. Authentication is required but can be bypassed. [1][2]

Exploitation

An attacker can bypass authentication and send a crafted SetVirtualServerSettings request with malicious input in a VirtualServerInfo subelement. The attacker must be network-adjacent to the router. The vulnerability can be exploited without user interaction. [2]

Impact

Successful exploitation allows arbitrary code execution as root, leading to full compromise of the router's confidentiality, integrity, and availability. [2]

Mitigation

As of the publication date (March 29, 2023), D-Link has not released a firmware patch to address this vulnerability. No workarounds are documented in the available references. Users may consider replacing the device if it is end-of-life. [1][2]

References
  1. D-Link Technical Support
  2. ZDI-22-1502

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.