CVE-2023-26822

Vulnerability

The D-Link Go-RT-AC750 router running firmware version revA_v101b03 contains a command injection vulnerability in the soapcgi.main function. The function retrieves the service parameter from the URL and passes it unsanitized into a sprintf call that builds a string later executed by the system() function. An attacker can inject arbitrary OS commands by crafting a malicious service value in the HTTP request URI [1].

Exploitation

An unauthenticated attacker on the same network can send a crafted HTTP POST request to the router's SOAP endpoint at /soap.cgi with a service parameter containing command separators (e.g., &&). The reference PoC demonstrates injecting the telnetd daemon on a non-standard port, then connecting to it remotely [1]. No authentication or prior access is required.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with root privileges on the affected router, leading to full device compromise. The attacker can enable additional services, modify configurations, exfiltrate data, or use the device as a pivot point for further attacks [1].

Mitigation

As of the publication date, D-Link has not released a patched firmware version for the Go-RT-AC750 revA. The device may be end-of-life (EOL); the D-Link security bulletin page [2] lists EOL products but does not provide a specific fix for this CVE. Users should replace the device or, if possible, restrict network access to the router's management interface and apply firewall rules to block unauthenticated SOAP requests. No workaround is known.