CVE Vulnerability

CVE-2022-40719

This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd_generic.lua plugin for the xupnpd service, which listens on TCP port 4044 by default. When parsing the feed parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15906.

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zerodayinitiative.com/advisories/ZDI-22-1223/ Third Party Advisory VDB Entry
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10304 Patch Vendor Advisory
Configurations

Configuration 1
Information

Published : 2023-01-26 06:59

Updated : 2023-02-02 03:17

NVD link : CVE-2022-40719

Mitre link : CVE-2022-40719

Products Affected
No products.
CWE
CWE-78