CVE-2018-6530

CVE-2018-6530 is a critical-severity vulnerability in Dlink Dir-860l Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-08). The underlying weakness is classified as CWE-78.

Key facts

Description

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

CVE-2018-6530: OS Command Injection in D-Link DIR-8x0L SOAP Interface

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2018-6530
CVSS 2.0 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS 3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
EPSS 0.96626 (99.88th percentile)
KEV Yes (CISA catalog, added 2022-09-08)
Affected Products D-Link DIR-860L, DIR-865L, DIR-868L, DIR-880L

Summary

CVE-2018-6530 is an unauthenticated OS command injection vulnerability in the SOAP interface of several D-Link consumer routers. The service parameter in soap.cgi is passed to a system command without adequate sanitization, allowing remote attackers to execute arbitrary commands on the device.

Background

The affected D-Link routers expose a SOAP-based management interface through the Common Gateway Interface (cgibin). The soap.cgi endpoint handles SOAP requests via the soapcgi_main function. Because this endpoint is reachable without authentication from the LAN side (and potentially from the WAN side if remote management is enabled), it represents a high-risk attack surface. Consumer routers are frequently deployed with default settings and rarely patched, amplifying the exposure of this flaw.

Root Cause

The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

In soapcgi_main, the service parameter from the incoming SOAP request is incorporated into a shell command string without proper input validation or escaping. This allows shell metacharacters injected into the parameter to alter the intended command semantics and execute attacker-controlled instructions.

Impact

  • Confidentiality: Complete. An attacker can read arbitrary files, extract credentials, or intercept network traffic.
  • Integrity: Complete. The attacker can modify router configuration, firmware, or inject malicious behavior.
  • Availability: Complete. The attacker can crash the device or render it unusable.

These impact ratings align with the CVSS 3.1 score of 9.8 (Critical) and the CVSS 2.0 score of 10.0, both reflecting an unauthenticated network attack with low complexity and complete impact across the CIA triad.

Exploitation Walkthrough

This section is provided for defensive awareness only. Exploiting systems without explicit authorization is illegal and unethical.

The attack flow is straightforward:

  1. The attacker sends an HTTP request to the router's soap.cgi endpoint.
  2. The service parameter contains shell metacharacters (e.g., backticks, semicolons, command substitution sequences) in addition to a legitimate service name.
  3. The router's cgibin process passes the tainted parameter to a system shell.
  4. The injected command executes with the privileges of the router's web server process (typically root on embedded Linux firmware).

Defensive note: Because the attack is unauthenticated and over HTTP, any device on the same network segment—or on the internet if remote management is enabled—can reach the endpoint. No user interaction is required.

Affected and Patched Versions

Device Vulnerable Versions Patched Versions
D-Link DIR-860L DIR860LA1_FW110b04 and previous 1.11B01 (per vendor patch notes)
D-Link DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous 1.10B01 (per vendor patch notes)
D-Link DIR-868L DIR868LA1_FW112b04 and previous 1.20B01 (per vendor patch notes)
D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous 1.08B06 (per vendor patch notes)

Note: D-Link has published security advisories for each affected model. If your device is end-of-life and no patch is available, replacement is strongly recommended.

Remediation

  1. Upgrade firmware to the patched version listed above for your specific model.
  2. Disable remote management (WAN-side administration) to prevent internet-based exploitation.
  3. Restrict access to the router's web interface to trusted internal hosts only.
  4. Segment IoT devices on a separate VLAN or guest network to limit lateral movement if a router is compromised.
  5. Replace end-of-life hardware that no longer receives vendor security updates.

Detection

  • Monitor HTTP logs for requests to /soap.cgi with anomalous service parameter values containing shell syntax characters (;, |, `, $(, &).
  • Alert on unexpected child processes spawned by cgibin or the web server process.
  • Watch for anomalous outbound connections from the router (e.g., reverse shells, DNS exfiltration, or unexpected NTP/HTTP traffic).
  • Enable network intrusion detection (IDS/IPS) signatures targeting known D-Link SOAP command injection patterns.

Assessment

With an EPSS score of 0.96626 (approximately the 99.88th percentile), this vulnerability is among the most likely to be exploited in the wild. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2022-09-08, and the EUVD also lists it as exploited (EUVD-2018-18282) since the same date. These indicators confirm that threat actors are actively using this flaw.

Key lessons:

  • Consumer-grade routers frequently lack robust input validation on management interfaces, making them high-value targets.
  • SOAP and other RPC-style endpoints on embedded devices should be treated as sensitive attack surfaces and hardened accordingly.
  • Organizations and home users should replace unsupported networking hardware rather than relying on compensating controls alone.

References

Frequently asked questions

What is CVE-2018-6530?
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.
How severe is CVE-2018-6530?
CVE-2018-6530 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-6530 being actively exploited?
Yes. CVE-2018-6530 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-6530?
CVE-2018-6530 primarily affects Dlink Dir-860l Firmware. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-6530?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-6530 have an EU (EUVD) identifier?
Yes. CVE-2018-6530 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-18282. It is also flagged as exploited in the EUVD (since 2022-09-08).
When was CVE-2018-6530 published?
CVE-2018-6530 was published on 2018-03-06 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Dlink Dir-860l Firmware

All CVEs affecting Dlink Dir-860l Firmware →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →