CVE-2022-40799

CVSS 8.8 HIGHEPSS 31.3%● KEVCWE-494

In short

An authenticated attacker can execute system commands on a D-Link DNR-322L network recorder through a flaw in the backup configuration feature. This allows an attacker with login credentials to gain full control over the device.

Technical detail

CWE-494 (Download of Code Without Integrity Check) in the 'Backup Config' functionality allows authenticated users to upload and execute arbitrary OS commands. The vulnerability requires valid credentials but provides unauthenticated code execution capabilities once exploited, compromising the entire system integrity.

Summary generated and translated by AI from the official description.

Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gitlab.com/lu-ka/cve-2022-40799 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40799 https://www.dlink.com/uk/en/products/dnr-322l-cloud-network-video-recorder