Login Sign Up

CVE-2022-30521

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a critical stack-based buffer overflow vulnerability in D-Link DIR-890L router firmware that allows unauthenticated remote code execution. Attackers can exploit it by sending specially crafted HTTP requests to the LAN-side web configuration interface on port 49152. All users of affected DIR-890L router versions are vulnerable.

💻 Affected Systems

Products:
  • D-Link DIR-890L Wi-Fi Router
Versions: DIR890LA1_FW107b09.bin and all previous versions
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the LAN-side web interface, so attackers need LAN access or ability to bypass network boundaries.

📦 What is this software?

Dir 890l Firmware by Dlink

View all CVEs affecting Dir 890l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to install persistent malware, intercept all network traffic, pivot to internal network devices, and use the router as a botnet node.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted LAN access and proper network segmentation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub repositories. Exploitation requires sending crafted HTTP requests to port 49152.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest firmware

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support site 2. Download latest firmware for DIR-890L 3. Log into router admin interface 4. Navigate to firmware update section 5. Upload and apply new firmware 6. Reboot router

🔧 Temporary Workarounds

Block LAN Access to Router Admin

all

Use firewall rules to restrict access to router's admin interface from untrusted devices

Disable Remote Administration

all

Ensure router's remote administration feature is disabled

🧯 If You Can't Patch

  • Replace router with supported model
  • Isolate router on separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is DIR890LA1_FW107b09.bin or earlier, you are vulnerable.

Check Version:

Check router web interface at http://[router-ip]:49152 or use nmap scan on port 49152

Verify Fix Applied:

Verify firmware version has been updated to a version after DIR890LA1_FW107b09.bin

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to port 49152
  • Multiple failed login attempts to router interface
  • Unexpected router reboots or configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to port 49152 from unexpected sources
  • DNS queries to suspicious domains from router

SIEM Query:

source_port:49152 AND (http_method:POST OR http_method:GET) AND (uri_contains:"cgibin" OR user_agent_contains:exploit)

📊 Metadata

CVE ID: CVE-2022-30521
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30521, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)