RCE in D-link Dir-1260

CVE-2022-50596

D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.063 (91.2th percentile) — read the EPSS interpretation.

Affected products

D-link Dir-1260 — versions 0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

supportannouncement.us.dlink.com/announcement/publication.aspx (vendor-advisory, patch)
blog.exodusintel.com/2022/05/11/d-link-dir-1260-getdevicesettings-pre-auth-comm… (technical-description)
www.vulncheck.com/advisories/dlink-dir1260-getdevicesettings-unauthenticated-co… (third-party-advisory)