CVE-2022-4616

Vulnerability

The webserver in Delta DX-3021 4G routers (specifically model DX-3021L9) versions prior to V1.24 is vulnerable to command injection through the network diagnosis page [1]. This is a classic OS command injection flaw (CWE-77) where user-supplied input is not properly sanitized before being passed to system commands. The network diagnosis page is a legitimate web interface function that executes diagnostic commands; the vulnerability allows an attacker to inject arbitrary operating system commands alongside the intended ones. No special configuration is required; the vulnerable code path is reachable by default in the web interface [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring only network access to the device's web interface. No authentication is needed — the input fields on the network diagnosis page are accessible to unauthenticated users [1]. The attacker simply crafts HTTP requests containing malicious command separators (e.g., ;, |, &&) appended to legitimate diagnosis parameters. The injected commands are then executed by the device's underlying operating system with the privileges of the web server process [1].

Impact

Successful exploitation allows a remote unauthenticated attacker to achieve arbitrary command execution on the affected router. The attacker can add files, delete files, and change file permissions on the device [1]. Given the full command injection capability, the impact extends to potential full compromise of confidentiality (reading sensitive data from the file system), integrity (modifying system files or configurations), and availability (deleting critical files, causing denial of service). The CVSS v3 base score is 7.2, with the vector string AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H; note this reflects a requirement for high privileges in the vector, but the advisory also states the attacker is unauthenticated — the elevated privilege level in the CVSS likely corresponds to the privileges gained post-exploitation [1].

Mitigation

Delta has released a patch, and the fixed version V1.24 (or later) is available on the Delta download center [1]. Users who cannot immediately apply the patch should minimize network exposure by ensuring the devices are not accessible from the Internet, placing them behind firewalls, and isolating them from business networks. When remote access is required, secure methods such as VPNs should be used [1]. No KEV listing was referenced at the time of publication.