D-Link DIR-1260 <= v1.20B05 GetDeviceSettings Unauthenticated Command Injection

Advisories

D-Link DIR-1260 <= v1.20B05 GetDeviceSettings Unauthenticated Command Injection

severity: critical
date: 11/6/2025
Affecting: DIR-1260 <= v1.20B05
CVE: CVE-2022-50596
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: D-Link Vendor Advisory
Exodus Intelligence Disclosure
Credit: Exodus Intelligence
Description: D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo