CVE-2022-28573

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions D-Link DIR-823-Pro version 1.0.2

Description The issue is related to the implementation of the SetNTPserverSeting() function in the D-Link DIR-823-Pro wireless router's firmware, which fails to properly sanitize data at the management level. This allows a remote attacker to execute arbitrary commands using the system time timezone parameter.

Recommendations For D-Link DIR-823-Pro version 1.0.2, consider disabling the SetNTPserverSeting() function until a patch is available to prevent exploitation via the system time timezone parameter. Restrict access to the vulnerable function to minimize the risk of arbitrary command execution. Avoid using the system time timezone parameter in the affected function until the issue is resolved.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2022-02930

CVE-2022-28573

Affected Products

D-Link Dir-823-Pro

CVE-2022-28573

Weakness Enumeration

Related Identifiers

Affected Products

References · 6