D-Link DIR-890L/DIR-806A1 soap.cgi sub_175C8 command injection

Vulnerability

A critical command injection vulnerability exists in the sub_175C8 function within the /htdocs/soap.cgi file of D-Link DIR-890L and DIR-806A1 routers running firmware versions up to 100CNb11 and 108B03, respectively. The vulnerability allows an attacker to inject arbitrary commands through crafted SOAP requests. This issue affects only products that are no longer supported by the vendor [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted SOAP request to the affected router's soap.cgi endpoint. The injection occurs within the sub_175C8 function, which does not properly sanitize user input. Public exploit code has been disclosed, making exploitation straightforward for attackers with network access to the device.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the affected router with root privileges, leading to full device compromise. This can result in information disclosure, denial of service, or use of the device as a pivot point in further attacks.

Mitigation

No official patch is available as these products have reached end-of-life and are no longer supported by D-Link. Users are strongly advised to replace affected devices with supported models. As a temporary measure, access to the SOAP interface should be restricted by firewall rules and disabled if not needed. The vulnerability is not listed on CISA KEV as of publication.