{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/dir-822-a_101/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7067"}],"_cs_exploited":false,"_cs_products":["DIR-822 A_101"],"_cs_severities":["high"],"_cs_tags":["command-injection","dhcp","iot"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA command injection vulnerability, tracked as CVE-2026-7067, has been identified in D-Link DIR-822 hardware with firmware version A_101. The vulnerability lies within the udhcpd DHCP service, specifically in the handling of the Hostname argument in the /udhcpcd/dhcpd.c file. A remote attacker can exploit this flaw by injecting arbitrary commands through a crafted Hostname field in a DHCP request. While a proof-of-concept exploit is publicly available, this vulnerability is less impactful because the D-Link DIR-822 A_101 is no longer supported by the vendor, potentially limiting the number of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-822 A_101 device.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DHCP request containing a command injection payload in the Hostname field.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DHCP request to the vulnerable device.\u003c/li\u003e\n\u003cli\u003eThe udhcpd service parses the DHCP request and extracts the Hostname.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the injected command within the Hostname is passed to the \u003ccode\u003esystem\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esystem\u003c/code\u003e function executes the injected command with the privileges of the udhcpd process (typically root).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as gaining persistent access, modifying device configuration, or using the device as part of a botnet.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected D-Link DIR-822 A_101 device. Given the end-of-life status of the product, patching is unlikely, leaving devices vulnerable. An attacker could leverage this vulnerability to gain complete control of the router, potentially compromising networks connected to it. The specific number of vulnerable devices is unknown, but the impact could be significant if many devices remain in use.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command injection attempts via DHCP Hostname (Sigma rule: \u003ccode\u003eDHCP Hostname Command Injection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious DHCP requests containing unusual characters or command sequences in the Hostname field, using network monitoring tools.\u003c/li\u003e\n\u003cli\u003eConsider network segmentation to isolate potentially vulnerable D-Link DIR-822 A_101 devices from critical network resources.\u003c/li\u003e\n\u003cli\u003eIf replacement is not immediately feasible, implement strict access control lists on the firewall to limit access to the D-Link DIR-822 A_101 device\u0026rsquo;s management interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T00:20:13Z","date_published":"2026-04-27T00:20:13Z","id":"/briefs/2026-04-dlink-dir822-cmd-injection/","summary":"A command injection vulnerability exists in D-Link DIR-822 A_101, specifically within the udhcpd DHCP service; by manipulating the Hostname argument, a remote attacker can inject commands, but the affected product is no longer supported.","title":"D-Link DIR-822 A_101 Command Injection via DHCP Hostname","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir822-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — DIR-822 A_101","version":"https://jsonfeed.org/version/1.1"}