CVE-2021-46315

Name of the Vulnerable Software and Affected Versions D-Link Router DIR-846 versions DIR846A1 FW100A43.bin through DIR846enFW100A53DLA-Retail.bin

Description A Remote Command Execution (RCE) issue exists due to insufficient argument validation in the SetWizardConfig.php script within the HNAP1/control directory. This allows malicious users to execute arbitrary commands by using shell metacharacters, such as backticks or line breaks, in the ssid0 or ssid1 parameters.

Recommendations For D-Link Router DIR-846 versions DIR846A1 FW100A43.bin through DIR846enFW100A53DLA-Retail.bin, consider disabling the SetWizardConfig.php script in the HNAP1/control directory until a patch is available to prevent exploitation. Restrict access to the ssid0 and ssid1 parameters in the affected API endpoint to minimize the risk of command execution. Avoid using the parameters ssid0 and ssid1 in the affected API endpoint until the issue is resolved.