CVE-2022-37129

Name of the Vulnerable Software and Affected Versions D-Link DIR-816 A2 version 1.10CNB04

Description The issue is related to Command Injection via the "/goform/SystemCommand" API endpoint. When a user passes in the command parameter, it is spliced into byte 4836B0 by snprintf, and then doSystem(&byte 4836B0) is executed, resulting in a command injection.

Recommendations For version 1.10CNB04, as a temporary workaround, consider restricting access to the "/goform/SystemCommand" API endpoint until a patch is available. Avoid using the command parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.