CVE-2022-46552

Vulnerability

The vulnerability resides in the SetIpMacBindSettings.php file (line 79) of D-Link DIR-846 firmware version FW100A53DBR-Retail. The application uses an exec() function to run a shell command with user-supplied input from the lan(0)_dhcps_staticlist parameter. The input is partially sanitized but allows injection of arbitrary OS commands via the second comma-separated value in the JSON-encoded POST request. This is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [1][3].

Exploitation

An attacker must be authenticated to the router's web interface. The attacker sends a crafted POST request with a JSON body containing the lan(0)_dhcps_staticlist key. The payload is placed in the second value of the comma-separated list. The server then executes exec(changename.sh $mac "$(malicious_payload_command)"), allowing arbitrary command execution. No additional user interaction is required beyond authentication [3].

Impact

Successful exploitation grants the attacker remote command execution on the router with the privileges of the web server (typically root). This leads to full compromise of the device, including the ability to modify configuration, exfiltrate data, or use the router as a pivot point. The CVSS v3.1 score is 9.1 (High) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H [3].

Mitigation

As of the publication date (2023-02-02), no official patch from D-Link has been released. The vendor was contacted but no fix is documented. Users should consider replacing the device if it remains unpatched, or restrict access to the administrative interface to trusted networks only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the report date [3].