diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request.
References
| Link | Resource |
|---|---|
| https://www.iplantom.com/2018/01/10/dsl2640U/ | Exploit Technical Description Third Party Advisory URL Repurposed |
Configurations
Configuration 1 (hide)
| AND |
|
Configuration 2 (hide)
| AND |
|
History
14 Feb 2024, 01:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.iplantom.com/2018/01/10/dsl2640U/ - Exploit, Technical Description, Third Party Advisory, URL Repurposed |
26 Apr 2023, 18:55
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Dlink dsl-2640u
Dlink Dlink dsl-2540u |
|
| CPE | cpe:2.3:h:d-link:dsl-2640u:-:*:*:*:*:*:*:* |
cpe:2.3:h:dlink:dsl-2540u:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dsl-2640u:-:*:*:*:*:*:*:* |
Information
Published : 2018-01-12 09:29
Updated : 2024-02-14 01:17
NVD link : CVE-2018-5371
Mitre link : CVE-2018-5371
CVE.ORG link : CVE-2018-5371
JSON object : View
Products Affected
dlink
- dsl-2640u
- dsl-2540u
d-link
- dsl-2640u_firmware
- dsl-2540u_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')