CVE-2018-6530
CVE-2018-6530 is a critical-severity vulnerability in Dlink Dir-860l Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-08). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 97% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-09-08)
- EU (EUVD) id: EUVD-2018-18282
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-09-08)
- Weakness: CWE-78
- Affected product: Dlink Dir-860l Firmware
- Published:
- Last modified:
Description
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.
CVE-2018-6530: OS Command Injection in D-Link DIR-8x0L SOAP Interface
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2018-6530 |
| CVSS 2.0 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS 3.1 | 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| EPSS | 0.96626 (99.88th percentile) |
| KEV | Yes (CISA catalog, added 2022-09-08) |
| Affected Products | D-Link DIR-860L, DIR-865L, DIR-868L, DIR-880L |
Summary
CVE-2018-6530 is an unauthenticated OS command injection vulnerability in the SOAP interface of several D-Link consumer routers. The service parameter in soap.cgi is passed to a system command without adequate sanitization, allowing remote attackers to execute arbitrary commands on the device.
Background
The affected D-Link routers expose a SOAP-based management interface through the Common Gateway Interface (cgibin). The soap.cgi endpoint handles SOAP requests via the soapcgi_main function. Because this endpoint is reachable without authentication from the LAN side (and potentially from the WAN side if remote management is enabled), it represents a high-risk attack surface. Consumer routers are frequently deployed with default settings and rarely patched, amplifying the exposure of this flaw.
Root Cause
The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
In soapcgi_main, the service parameter from the incoming SOAP request is incorporated into a shell command string without proper input validation or escaping. This allows shell metacharacters injected into the parameter to alter the intended command semantics and execute attacker-controlled instructions.
Impact
- Confidentiality: Complete. An attacker can read arbitrary files, extract credentials, or intercept network traffic.
- Integrity: Complete. The attacker can modify router configuration, firmware, or inject malicious behavior.
- Availability: Complete. The attacker can crash the device or render it unusable.
These impact ratings align with the CVSS 3.1 score of 9.8 (Critical) and the CVSS 2.0 score of 10.0, both reflecting an unauthenticated network attack with low complexity and complete impact across the CIA triad.
Exploitation Walkthrough
This section is provided for defensive awareness only. Exploiting systems without explicit authorization is illegal and unethical.
The attack flow is straightforward:
- The attacker sends an HTTP request to the router's
soap.cgiendpoint. - The
serviceparameter contains shell metacharacters (e.g., backticks, semicolons, command substitution sequences) in addition to a legitimate service name. - The router's
cgibinprocess passes the tainted parameter to a system shell. - The injected command executes with the privileges of the router's web server process (typically
rooton embedded Linux firmware).
Defensive note: Because the attack is unauthenticated and over HTTP, any device on the same network segment—or on the internet if remote management is enabled—can reach the endpoint. No user interaction is required.
Affected and Patched Versions
| Device | Vulnerable Versions | Patched Versions |
|---|---|---|
| D-Link DIR-860L | DIR860LA1_FW110b04 and previous | 1.11B01 (per vendor patch notes) |
| D-Link DIR-865L | DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous | 1.10B01 (per vendor patch notes) |
| D-Link DIR-868L | DIR868LA1_FW112b04 and previous | 1.20B01 (per vendor patch notes) |
| D-Link DIR-880L | DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous | 1.08B06 (per vendor patch notes) |
Note: D-Link has published security advisories for each affected model. If your device is end-of-life and no patch is available, replacement is strongly recommended.
Remediation
- Upgrade firmware to the patched version listed above for your specific model.
- Disable remote management (WAN-side administration) to prevent internet-based exploitation.
- Restrict access to the router's web interface to trusted internal hosts only.
- Segment IoT devices on a separate VLAN or guest network to limit lateral movement if a router is compromised.
- Replace end-of-life hardware that no longer receives vendor security updates.
Detection
- Monitor HTTP logs for requests to
/soap.cgiwith anomalousserviceparameter values containing shell syntax characters (;,|,`,$(,&). - Alert on unexpected child processes spawned by
cgibinor the web server process. - Watch for anomalous outbound connections from the router (e.g., reverse shells, DNS exfiltration, or unexpected NTP/HTTP traffic).
- Enable network intrusion detection (IDS/IPS) signatures targeting known D-Link SOAP command injection patterns.
Assessment
With an EPSS score of 0.96626 (approximately the 99.88th percentile), this vulnerability is among the most likely to be exploited in the wild. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2022-09-08, and the EUVD also lists it as exploited (EUVD-2018-18282) since the same date. These indicators confirm that threat actors are actively using this flaw.
Key lessons:
- Consumer-grade routers frequently lack robust input validation on management interfaces, making them high-value targets.
- SOAP and other RPC-style endpoints on embedded devices should be treated as sensitive attack surfaces and hardened accordingly.
- Organizations and home users should replace unsupported networking hardware rather than relying on compensating controls alone.
References
- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf
- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdf
- ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdf
- ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-880L/REVA/DIR-880L_REVA_FIRMWARE_PATCH_NOTES_1.08B06_EN_WW.pdf
- https://github.com/TheBeeMan/Pwning-multiple-dlink-router-via-SOAP-proto
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6530
Frequently asked questions
- What is CVE-2018-6530?
- OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.
- How severe is CVE-2018-6530?
- CVE-2018-6530 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-6530 being actively exploited?
- Yes. CVE-2018-6530 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-6530?
- CVE-2018-6530 primarily affects Dlink Dir-860l Firmware. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-6530?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-6530 have an EU (EUVD) identifier?
- Yes. CVE-2018-6530 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-18282. It is also flagged as exploited in the EUVD (since 2022-09-08).
- When was CVE-2018-6530 published?
- CVE-2018-6530 was published on 2018-03-06 and last updated on 2026-06-17.
References
- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf
- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdf
- ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdf
- ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-880L/REVA/DIR-880L_REVA_FIRMWARE_PATCH_NOTES_1.08B06_EN_WW.pdf
- https://github.com/TheBeeMan/Pwning-multiple-dlink-router-via-SOAP-proto
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6530
Affected products (4)
- cpe:2.3:o:dlink:dir-860l_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dir-865l_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dir-868l_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dir-880l_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Dlink Dir-860l Firmware
- CVE-2024-42812 — Critical (CVSS 9.8): In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID…
- CVE-2024-41611 — Critical (CVSS 9.8): In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers…
- CVE-2018-20114 — Critical (CVSS 9.8): On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can…
- CVE-2025-9026 — High (CVSS 7.3): A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file…
- CVE-2024-37605 — Medium (CVSS 6.5): A NULL pointer dereference in D-Link DIR-860L REVB_FIRMWARE_2.04.B04_ic5b allows attackers to cause a Denial of Service…
- CVE-2020-25786 — Medium (CVSS 6.1): webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer…
All CVEs affecting Dlink Dir-860l Firmware →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…