CVE-2023-43284
Description
D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 100A53DBR-Retail devices allow an authenticated remote attacker to execute arbitrary code via an unspecified manipulation of the QoS POST parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated remote code execution in D-Link DIR-846 routers via manipulation of the QoS POST parameter.
Vulnerability
The vulnerability in D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 firmware version 100A53DBR-Retail allows an authenticated remote attacker to execute arbitrary code via an unspecified manipulation of the QoS POST parameter. The issue exists regardless of whether QoS is enabled, as indicated by the proof-of-concept [1].
Exploitation
The attacker must have valid router credentials (username and password) to authenticate to the web interface. The exploit sends a crafted POST request to the QoS endpoint with a malicious command in the POST parameters. The provided proof-of-concept supports executing arbitrary commands by specifying the target IP, password, and command [1].
Impact
Successful exploitation results in arbitrary command execution on the router with root privileges. This allows the attacker to fully compromise the device, including reading sensitive data, modifying configuration, or using the router as a pivot for further attacks.
Mitigation
As of the disclosure date, no official patch or firmware update from D-Link has been identified. Users are advised to restrict network access to the router's management interface, disable remote administration, and change default credentials. Since the device may be end-of-life, upgrading to a supported model is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/Wireless MU-MIMO Gigabit AC1200 Router DIR-846description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the QoS POST parameter allows command injection."
Attack vector
An authenticated remote attacker sends a crafted POST request to the router's QoS functionality, embedding arbitrary operating system commands in the QoS POST parameter. The router does not sanitize or validate this parameter before passing it to a system-level execution context, allowing command injection. The attacker must already possess valid router credentials, but the QoS feature does not need to be enabled for exploitation [ref_id=1].
Affected code
The vulnerability resides in the QoS POST parameter handling of the D-Link DIR-846 router (firmware version 100A53DBR-Retail). The advisory does not specify a particular function or file path, but identifies the QoS POST parameter as the injection point [ref_id=1].
What the fix does
No patch or vendor advisory is included in the bundle. The researcher's write-up does not describe any remediation from D-Link. To close the vulnerability, the router firmware must properly sanitize or validate the QoS POST parameter, ensuring user-supplied input is never passed unsanitized to a command execution context.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface
- networkAttacker must be able to reach the router's management interface over the network
- inputThe QoS POST parameter is the injection vector; the QoS feature does not need to be enabled
Reproduction
The researcher provides a Python proof-of-concept tool that accepts the router IP, password, and an arbitrary command. The tool sends a crafted POST request to the QoS endpoint with the command embedded in the QoS parameter, achieving authenticated remote code execution [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- youtu.be/Y8osw_xU6-0mitre
News mentions
0No linked articles in our index yet.