CVE-2024-57595

CVE-2024-57595 is an OS command injection vulnerability (CWE-78) affecting D-Link DIR-825 REVB devices running firmware version 2.03. The flaw resides in the CGI interface script apc_client_pin.cgi, where the "wps_pin" parameter in POST requests to the binary is vulnerable to injection. This allows attackers to execute arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility without authentication or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability by crafting a malicious POST request to the apc_client_pin.cgi endpoint with a command injected into the wps_pin parameter. Successful exploitation grants full arbitrary command execution on the device, potentially leading to complete compromise, including data theft, persistence, or use as a pivot in further network attacks.

Advisories and additional details are available via the D-Link security bulletin at https://www.dlink.com/en/security-bulletin/ and a GitHub repository documenting the issue at https://github.com/IdaJea/IOT_vuln_1/blob/master/DIR825/wps_pin.md, which may include mitigation guidance or patch information.