CVE-2022-50596

CVE-2022-50596 is a command injection vulnerability (CWE-78) in D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05. The issue exists within the web management interface, specifically in the SetDest/Dest/Target arguments to the GetDeviceSettings form. This flaw enables unauthenticated attackers to execute arbitrary commands on the device with root privileges. The management interface is accessible over HTTP and HTTPS on local and Wi-Fi networks and optionally from the Internet, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers able to reach the exposed web management interface can exploit the vulnerability to achieve remote code execution as root on the router. Exploitation requires no privileges, user interaction, or special conditions beyond network access, making it highly practical for remote attackers if the interface faces the Internet or for local/Wi-Fi adversaries.

Advisories provide mitigation guidance, including D-Link's support announcement SAP10298 at https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10298. Additional details on the vulnerability and remediation are available from Exodus Intelligence at https://blog.exodusintel.com/2022/05/11/d-link-dir-1260-getdevicesettings-pre-auth-command-injection-vulnerability/ and VulnCheck at https://www.vulncheck.com/advisories/dlink-dir1260-getdevicesettings-unauthenticated-command-injection.