CVE-2021-46233 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-46233?

CVE-2021-46233 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on D-Link DI-7200GV2.E1 routers via command injection in the msp_info.htm function. Attackers can exploit this by sending specially crafted requests with malicious commands in the cmd parameter. Only users of the specific D-Link router model and firmware version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on D-Link DI-7200GV2.E1 routers via command injection in the msp_info.htm function. Attackers can exploit this by sending specially crafted requests with malicious commands in the cmd parameter. Only users of the specific D-Link router model and firmware version are affected.

💻 Affected Systems

Products:

D-Link DI-7200GV2.E1

Versions: v21.04.09E1

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific model and firmware version are confirmed affected. Other D-Link devices may have similar vulnerabilities but are not confirmed.

📦 What is this software?

Di 7200gv2 Firmware by Dlink

View all CVEs affecting Di 7200gv2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to install malware, pivot to internal networks, steal credentials, or render the device inoperable.

🟠

Likely Case

Attackers gain remote shell access to execute commands, potentially leading to network reconnaissance, data exfiltration, or using the device as a botnet node.

🟢

If Mitigated

If network segmentation and access controls are implemented, impact is limited to the isolated router with no lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, making them prime targets for remote exploitation without authentication.

🏢 Internal Only: MEDIUM - If not internet-facing, attackers would need internal network access first, but exploitation remains straightforward.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests to the vulnerable endpoint with command injection payloads. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched version

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10284

Restart Required: Yes

Instructions:

1. Access D-Link support portal. 2. Download latest firmware for DI-7200GV2.E1. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router from critical internal networks to limit potential lateral movement

Access Control Lists

linux

Restrict access to router management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Disable remote management interface if not required
Implement network monitoring for suspicious traffic to/from router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is v21.04.09E1, device is vulnerable.

Check Version:

curl -s http://router-ip/status.html | grep -i firmware

Verify Fix Applied:

After patching, verify firmware version has changed from v21.04.09E1 to newer version in admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in router logs
Multiple failed login attempts followed by successful access
HTTP requests to msp_info.htm with suspicious cmd parameters

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs
Unexpected SSH/Telnet sessions originating from router

SIEM Query:

source="router_logs" AND (uri="/msp_info.htm" OR cmd="*;*" OR cmd="*|*")

📊 Metadata

CVE ID: CVE-2021-46233

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/D-link/vuln_12/12.md Broken Link
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10284 Vendor Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/pjqwudi/my_vuln/blob/main/D-link/vuln_12/12.md Broken Link
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10284 Vendor Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46233, you might also want to check these: