CVE-2024-48638

Name of the Vulnerable Software and Affected Versions D-Link DIR-882 versions FW130B06 D-Link DIR-878 version FW130B08

Description A command injection issue exists in the SetGuestZoneRouterSettings function due to insufficient neutralization of special elements used in an OS command. This allows attackers to execute arbitrary OS commands via a crafted POST request to the prog.cgi script, exploiting the SubnetMask parameter.

Recommendations For D-Link DIR-882 version FW130B06, consider disabling the SetGuestZoneRouterSettings function until a patch is available. For D-Link DIR-878 version FW130B08, restrict access to the prog.cgi script to minimize the risk of exploitation. Avoid using the SubnetMask parameter in the affected API endpoint until the issue is resolved.