CVE-2019-7297

Name of the Vulnerable Software and Affected Versions D-Link DIR-823G devices with firmware through 1.02B03

Description An issue allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. The vulnerability is related to insufficient input data cleaning used in commands.

Recommendations For D-Link DIR-823G devices with firmware through 1.02B03, consider disabling the GetNetworkTomographyResult function until a patch is available to prevent exploitation via the /HNAP1 request. Restrict access to the Address input parameter to minimize the risk of arbitrary command execution.