PT-2019-6344 · D Link · D-Link Dir-825
Published
2019-02-25
·
Updated
2023-04-27
·
CVE-2019-9122
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
D-Link DIR-825 versions 2.10
Description
The issue is related to the lack of input validation in the firmware of D-Link DIR-825 routers. This can be exploited by a remote attacker to execute arbitrary commands by sending a specially crafted POST request to the
ntp sync.cgi endpoint through the ntp server parameter.Recommendations
For version 2.10, consider disabling the
ntp sync.cgi endpoint or restricting access to it until a patch is available. Avoid using the ntp server parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Link Dir-825