First published: Thu Feb 17 2022(Updated: )
Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicoius users can use this vulnerability to use "\ " or backticks in the shell metacharacters in the ssid0 or ssid1 parameters to cause arbitrary command execution. Since CVE-2019-17510 vulnerability has not been patched and improved www/hnap1/control/setwizardconfig.php, can also use line breaks and backquotes to bypass.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Dlink Dir-846 Firmware | =100a43 | |
Dlink Dir-846 | =a1 | |
Dlink Dir-846 Firmware | =100a53dla | |
Dlink Dir-846 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-46315 is critical with a CVSS score of 9.8.
The Remote Command Execution (RCE) vulnerability in HNAP1/control/SetWizardConfig.php affects D-Link Router DIR-846 if it is running the vulnerable firmware versions DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin.
Malicious users can exploit the Remote Command Execution (RCE) vulnerability in D-Link Router DIR-846 to execute arbitrary commands on the device by using shell metacharacters in the ssid0 or ssid1 parameters.
To check if your D-Link Router DIR-846 is vulnerable to the Remote Command Execution (RCE) vulnerability, ensure that you are running either the DIR846A1_FW100A43.bin or DIR846enFW100A53DLA-Retail.bin firmware versions.
To mitigate the Remote Command Execution (RCE) vulnerability in D-Link Router DIR-846, update the firmware to a non-vulnerable version provided by D-Link and follow their security recommendations.