D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php.

Published : 2019-10-11 20:15 Updated : 2019-10-15 20:32

CVSS Score More info
Score 10.0 / 10
Vendor Product Version URI
Dlink Dir-846 Firmware 100a35 cpe:/o:dlink:dir-846_firmware:100a35
  1. Dlink (1) Search CVE
    1. Dir-846 Firmware (1) Search CVE
      1. 100a35


ID Name Description Links
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. CVE

History of changes

Date Event
2019-10-15 20:32
2019-10-11 20:25