1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. D-Link DIR-820L Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2022-26258 Mappings

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-26258 D-Link DIR-820L Remote Code Execution Vulnerability secondary_impact T1499.002 Service Exhaustion Flood
Comments
This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack.
References
  1. https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html
  2. https://unit42.paloaltonetworks.com/moobot-d-link-devices/
CVE-2022-26258 D-Link DIR-820L Remote Code Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack.
References
  1. https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html
  2. https://unit42.paloaltonetworks.com/moobot-d-link-devices/
CVE-2022-26258 D-Link DIR-820L Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack.
References
  1. https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html
  2. https://unit42.paloaltonetworks.com/moobot-d-link-devices/