CVE-2024-41622: D-Link DIR-846W Firmware RCE Vulnerability

CVE-2024-41622 Overview

CVE-2024-41622 is a remote command execution vulnerability affecting the D-Link DIR-846W A1 router running firmware version FW100A43. The flaw resides in the /HNAP1/ interface, where the tomography_ping_address parameter is passed to a shell context without proper sanitization. Unauthenticated attackers can inject operating system commands through this parameter and execute them with the privileges of the router's web service. The vulnerability is classified under CWE-78 (OS Command Injection).

Critical Impact

Remote, unauthenticated attackers can execute arbitrary operating system commands on affected DIR-846W routers, leading to full device takeover, traffic interception, and lateral movement into internal networks.

Affected Products

• D-Link DIR-846W A1 hardware revision
• D-Link DIR-846W firmware version FW100A43
• Networks exposing the /HNAP1/ management interface

Discovery Timeline

• 2024-08-27 - CVE-2024-41622 published to NVD
• 2024-08-30 - Last updated in NVD database

Technical Details for CVE-2024-41622

Vulnerability Analysis

The D-Link DIR-846W exposes the Home Network Administration Protocol (HNAP) endpoint at /HNAP1/ for device administration. The endpoint accepts SOAP-style requests and processes diagnostic actions, including a network tomography ping function. The tomography_ping_address parameter is intended to receive an IP address or hostname for the router to ping, but the handler concatenates the value into a shell command string without escaping or validation. Any shell metacharacters supplied in the parameter are interpreted by the underlying operating system shell.

Because /HNAP1/ does not require authentication for the affected action on this firmware revision, an attacker reachable over the network can submit a crafted request and immediately gain command execution. The web service on consumer routers typically runs as root, so successful exploitation yields full administrative control of the device.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-78]. The firmware passes user-controlled input from the tomography_ping_address field directly to a shell invocation of the system ping utility, allowing characters such as ;, |, &, and backticks to break out of the intended argument context.

Attack Vector

Exploitation requires only network reachability to the router's web management interface. An attacker sends an HTTP POST request to /HNAP1/ invoking the ping tomography action and embeds shell metacharacters within the tomography_ping_address value. The injected command runs in the router's shell with the privileges of the HTTP daemon. A public proof of concept is referenced on the NVD entry, indicating the technique is documented externally. See the GitHub PoC for CVE-2024-41622 and the D-Link Security Bulletin for technical details.

Detection Methods for CVE-2024-41622

Indicators of Compromise

• HTTP POST requests to /HNAP1/ that contain shell metacharacters (;, |, &, `, $() within the tomography_ping_address field.
• Outbound connections from the router to unexpected hosts shortly after HNAP requests, indicating reverse shells or payload retrieval.
• Unexpected processes such as wget, tftp, nc, or sh spawned by the router's HTTP service.
• Modified router configuration, DNS settings, or firmware images that do not match the vendor baseline.

Detection Strategies

• Inspect web server and reverse proxy logs for HNAP requests containing non-IP characters in tomography_ping_address.
• Deploy network intrusion detection signatures that match command injection patterns in SOAP request bodies targeting /HNAP1/.
• Correlate router management traffic with downstream network anomalies such as DNS hijacking or unusual scanning from the device.

Monitoring Recommendations

• Monitor inbound traffic to TCP/80 and TCP/443 of consumer-grade D-Link devices, especially /HNAP1/ URIs from untrusted networks.
• Alert on any administrative access to DIR-846W routers originating from WAN-side IP addresses.
• Track DNS resolver settings and firmware version reports from managed devices to detect tampering.

How to Mitigate CVE-2024-41622

Immediate Actions Required

• Disable remote (WAN-side) management on all DIR-846W devices and restrict /HNAP1/ access to trusted LAN segments only.
• Block inbound HTTP and HTTPS traffic to the router's management interface at the network perimeter.
• Audit existing DIR-846W deployments for signs of compromise, including modified DNS, admin credentials, and firmware.
• Plan replacement of end-of-support D-Link consumer hardware where no patched firmware is available.

Patch Information

No vendor patch is currently listed in the NVD references for CVE-2024-41622. Administrators should consult the D-Link Security Bulletin and the D-Link DIR-846W Product Information page for firmware updates or vendor advisories. If the device is past end-of-life, replacement with a supported model is the recommended remediation.

Workarounds

• Place the router behind an upstream firewall and deny all unsolicited inbound traffic to the management interface.
• Restrict HNAP access using ACLs to administrative IP addresses only, where the device firmware supports such filtering.
• Segment IoT and consumer routers onto isolated VLANs to limit blast radius if the device is compromised.
• Replace affected hardware with a supported router that receives active security updates.

# Example perimeter firewall rule to block external access to the HNAP interface
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -m string \
  --string "/HNAP1/" --algo bm -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -m string \
  --string "/HNAP1/" --algo bm -j DROP