CVE-2022-43633

Vulnerability

The vulnerability is a command injection flaw in the SetSysLogSettings handler of the D-Link DIR-1935 router's web management portal. The IPAddress element is improperly validated before being used in a system call, allowing an attacker to inject arbitrary OS commands. This affects the DIR-1935 hardware revision Ax running firmware version 1.03b02 [1][2]. Authentication is required to reach the vulnerable handler, but the existing authentication mechanism can be bypassed through a separate vulnerability (e.g., CVE-2022-43620) [2].

Exploitation

An attacker must be network-adjacent (on the same local network) and either possess valid administrator credentials or leverage an authentication bypass technique [2]. The attacker sends a crafted HTTP POST request to the router's web interface, targeting the SetSysLogSettings action. By inserting shell metacharacters into the IPAddress parameter, the injected command is executed by the system when the router processes the request.

Impact

Successful exploitation grants the attacker arbitrary code execution as the root user, resulting in full compromise of the router. The attacker can read, modify, or delete sensitive data, install persistent malware, pivot to other devices on the network, or disrupt network services. The confidentiality, integrity, and availability of the device are completely lost [2].

Mitigation

As of the publication date (March 29, 2023), D-Link has not released a firmware patch for this vulnerability [1]. The vendor acknowledged the issue and began developing patches, but no fixed version has been made available. Users should consider replacing the router with a supported model or isolating the device from untrusted network segments. No workaround has been provided by D-Link [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.