CVE-2022-50596

Name of the Vulnerable Software and Affected Versions D-Link DIR-1260 Wi-Fi router versions up to and including v1.20B05

Description A command injection flaw exists in the web management interface of the D-Link DIR-1260 Wi-Fi router. This allows unauthenticated attackers to execute arbitrary commands on the device with root privileges. The vulnerability is located within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible via HTTP and HTTPS on local and Wi-Fi networks, and potentially from the internet. The issue stems from a failure to neutralize special elements used in operating system commands when processing the SetDest/Dest/Target parameter.

Recommendations Update D-Link DIR-1260 Wi-Fi router firmware to a version later than v1.20B05.