Impact
A remote attacker can supply a crafted IPAddress value to the HNAP1 SetNetworkSettings handler on a D‑Link DIR‑882 router. The value is passed to a vulnerable sprintf call in prog.cgi, which results in OS command injection. The attacker can cause the router to execute arbitrary shell commands, potentially affecting the device’s integrity and availability.
Affected Systems
This flaw affects the D‑Link DIR‑882 router running firmware version 1.01B02. The firmware is no longer supported by the manufacturer, and no other revisions or devices are listed as impacted.
Risk and Exploitability
The CVSS score of 8.6 categorizes the vulnerability as high severity, and an EPSS score of 5% indicates a moderate probability that it will be exploited in the wild. Although the vulnerability is not listed in the CISA KEV catalog, the public exploit code combined with the lack of official vendor support increases the risk. Because the attack can be performed remotely without requiring authentication, exposed devices remain at significant risk.
OpenCVE Enrichment