CVE-2021-28144

CVE-2021-28144

EPSS 6.0%

prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely.

Affected products

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-Injection.html http://seclists.org/fulldisclosure/2021/Mar/23 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10208 https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/