Critical Vulnerability Information Affected Products D-Link Router DWR-M920 B2 V1.1.5 - Command Injection Vulnerability in /boafirm/formDebugDiagnosticRun Vulnerability Details Vendor: D-Link (D-Link Electronics (Shanghai) Co., Ltd.) Product: D-Link DWR-M920 Affected Version: Hardware B2, Firmware V1.1.5 Vulnerability Type: Command Injection (Binary) Vulnerability Description During a security review of the application, a critical command injection vulnerability was discovered in the endpoint. This vulnerability resides within the function, which calls the function. The latter uses the function to parse the "host" parameter received from the incoming request, and the resulting string is directly passed to the function. This allows an attacker to execute arbitrary operating system commands with server privileges. Vulnerability Location Root Cause A command injection vulnerability was identified in the endpoint of the application. The root cause lies in the function (called by ), which processes the "host" parameter, formats it into a command string using , and directly passes it to the function. This enables an attacker to inject arbitrary shell commands via shell metacharacters ( , , , ) within the "host" parameter. Impact An attacker can exploit this vulnerability to achieve various malicious outcomes, including: Denial of Service (DoS): Crashing the web server process or the device itself Arbitrary Code Execution: Gaining full control over the device by executing arbitrary commands, potentially leading to network traffic monitoring, data theft, or using the router as a pivot point to attack other devices on the network. Proof of Concept (PoC) This vulnerability is triggered after authentication. The following Python script automates the login process and performs the command injection. [Insert Python script] Local Reproduction Screenshots Environment set up using Firmea PoC executed via Burp Repeater - Result: Web server crash, device becomes unreachable