CVE-2022-43620 – This vulnerability allows network-adjacent atta... (How to Fix)

Q: What is the severity of CVE-2022-43620?

CVE-2022-43620 has a CVSS score of 8.8 (HIGH). This vulnerability allows network-adjacent attackers to bypass authentication on D-Link DIR-1935 routers by exploiting improper HNAP login request handling. Attackers can gain unauthorized access to router administration without credentials. Only users of affected D-Link DIR-1935 routers with vulnerable firmware are impacted.

📋 TL;DR

This vulnerability allows network-adjacent attackers to bypass authentication on D-Link DIR-1935 routers by exploiting improper HNAP login request handling. Attackers can gain unauthorized access to router administration without credentials. Only users of affected D-Link DIR-1935 routers with vulnerable firmware are impacted.

💻 Affected Systems

Products:

D-Link DIR-1935

Versions: Firmware version 1.03

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects routers with default configuration. HNAP protocol must be enabled (typically default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise allowing attacker to change network settings, intercept traffic, install malware, or use router as pivot point into internal network

🟠

Likely Case

Unauthorized access to router admin panel enabling network configuration changes, DNS hijacking, or credential theft

🟢

If Mitigated

No impact if router is patched or isolated from untrusted networks

🌐 Internet-Facing: HIGH - If router admin interface is exposed to internet, remote exploitation is possible

🏢 Internal Only: HIGH - Network-adjacent attackers on local network can exploit without authentication

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires network access but no authentication. ZDI advisory includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.04 or later

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310

Restart Required: Yes

Instructions:

1. Download firmware 1.04+ from D-Link support site. 2. Log into router admin panel. 3. Navigate to System > Firmware Update. 4. Upload and apply new firmware. 5. Wait for router to reboot.

🔧 Temporary Workarounds

Disable HNAP protocol

all

Disable HNAP service if not required for functionality

Restrict admin interface access

all

Limit router admin access to specific trusted IP addresses only

🧯 If You Can't Patch

Isolate router on separate VLAN from untrusted devices
Implement network segmentation to limit lateral movement if compromised

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System > Firmware. If version is 1.03, router is vulnerable.

Check Version:

No CLI command - check via web admin interface at http://router_ip

Verify Fix Applied:

After updating, verify firmware version shows 1.04 or later in System > Firmware section.

📡 Detection & Monitoring

Log Indicators:

Multiple failed HNAP login attempts followed by successful login from same IP
Unauthorized admin access from new IP addresses

Network Indicators:

Unusual HNAP protocol traffic patterns
Admin interface access from unexpected network segments

SIEM Query:

source="router_logs" AND (event="HNAP_login" AND result="success") AND NOT src_ip IN [trusted_admin_ips]

📊 Metadata

CVE ID: CVE-2022-43620

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1494/ Third Party Advisory,VDB Entry
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1494/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43620, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dir 1935 Firmware by Dlink

Dir 1935 Firmware by Dlink

Dir 1935 Firmware by Dlink

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HNAP protocol

Restrict admin interface access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities