CVE-2022-42161 is a command injection vulnerability identified in D-Link COVR series routers, specifically models 1200, 1202, and 1203 running firmware version 1.08. The vulnerability exists in the function SetTriggerWPS, which processes the /SetTriggerWPS/PIN parameter. An attacker with low privileges (PR:L) but no user interaction (UI:N) required can exploit this flaw remotely over the network (AV:N). The vulnerability allows the attacker to inject arbitrary commands due to improper input sanitization of the PIN parameter, classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). Successful exploitation can lead to full compromise of the device, impacting confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 8.8, indicating a high severity level. Although no public exploits are currently known in the wild, the ease of exploitation combined with the critical impact makes this a significant threat. The lack of available patches at the time of reporting increases the urgency for mitigation. This vulnerability could be leveraged to execute arbitrary commands on the router, potentially allowing attackers to manipulate network traffic, intercept sensitive data, or disrupt network availability.

For European organizations, the impact of CVE-2022-42161 is considerable. D-Link COVR routers are commonly used in small to medium enterprises and home office environments, which are prevalent across Europe. Exploitation could lead to unauthorized access to internal networks, interception of confidential communications, and disruption of business operations. Given the high confidentiality, integrity, and availability impact, attackers could use this vulnerability to establish persistent footholds, launch further attacks within corporate networks, or exfiltrate sensitive data. The vulnerability's remote exploitability without user interaction increases the risk of widespread compromise. This is particularly concerning for sectors with high data protection requirements under GDPR, such as finance, healthcare, and government institutions. Additionally, compromised routers could be used as part of botnets or to launch attacks against other critical infrastructure, amplifying the threat landscape in Europe.

1. Immediate network segmentation: Isolate affected D-Link COVR routers from critical network segments to limit potential lateral movement. 2. Disable WPS functionality: Since the vulnerability is triggered via the WPS PIN parameter, disabling WPS on affected devices reduces attack surface. 3. Apply firmware updates: Monitor D-Link’s official channels for firmware patches addressing this vulnerability and apply them promptly once available. 4. Implement strict access controls: Restrict management interface access to trusted IP addresses and use VPNs for remote management. 5. Network monitoring and intrusion detection: Deploy IDS/IPS solutions tuned to detect anomalous commands or traffic patterns targeting the /SetTriggerWPS endpoint. 6. Conduct regular vulnerability scans: Identify devices running vulnerable firmware versions and prioritize remediation. 7. Educate users and administrators: Raise awareness about the risks of using default or weak credentials and the importance of timely patching. 8. Consider device replacement: For environments where patching is delayed or unsupported, replace vulnerable devices with models that have robust security support.