PT-2022-23625 · D Link · Dlink Router
Nerya Zadkani
·
Published
2022-11-17
·
Updated
2023-10-25
·
CVE-2022-36786
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
DLINK router version 3.0.8
Description
The issue allows for command injection through the interface used to configure NTP servers via jsonrpc API, potentially running commands with ROOT permissions on the router. This is made possible by injecting a command through the jsonrpc API interface for NTP server configuration.
Recommendations
For version 3.0.8, consider disabling the jsonrpc API interface for NTP server configuration until a patch is available to prevent potential command injection attacks. Restrict access to the NTP server configuration interface to minimize the risk of exploitation.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dlink Router