CVE-2015-1187

CRITICAL KEV

D-Link Routers - Remote Code Execution via ping.ccp

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-1187 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 2 public exploits from researchers including Metasploit, including a Metasploit module exploits/linux/http/multi_ncc_ping_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in the ncc service of several D-Link and TRENDnet routers. It leverages the ping command functionality to execute arbitrary commands, download a payload, and achieve remote code execution.

Description

The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappslinux
https://www.exploit-db.com/exploits/41677

This Metasploit module exploits a command injection vulnerability in the ncc service of several D-Link and TRENDnet routers. It leverages the ping command functionality to execute arbitrary commands, download a payload, and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link/TRENDnet routers (e.g., DIR-626L, DIR-808L, TEW-731BR)
No auth needed
Prerequisites: Network access to the vulnerable device · wget available on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/multi_ncc_ping_exec.rb

This Metasploit module exploits a command injection vulnerability in the ncc service of several D-Link and TRENDnet routers by sending a crafted POST request to the ping.ccp endpoint. It achieves remote code execution by injecting commands into the ping_addr parameter and leveraging wget to download and execute a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link and TRENDnet routers (e.g., DIR-626L, DIR-808L, TEW-731BR)
No auth needed
Prerequisites: Network access to the vulnerable device · ncc service exposed and accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/130607/D-Link-DIR636L-Remote-Command-Injection.html
Broken Link, Issue Tracking, Mitigation, Third Party Advisory x_refsource_misc
https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72848
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/15

Scores

CVSS v3 9.8
EPSS 0.8288
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2015-05-22
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2015-1329
CWE
CWE-287
Status published
Products (18)
dlink/dir-626l_firmware 1.04 b04
dlink/dir-636l_firmware 1.04
dlink/dir-651_firmware 1.10na b02
dlink/dir-808l_firmware 1.03 b05
dlink/dir-810l_firmware 1.01 b04
dlink/dir-810l_firmware 2.02 b01
dlink/dir-820l_firmware 1.02 b10
dlink/dir-820l_firmware 1.05 b03
dlink/dir-820l_firmware 2.01 b02
dlink/dir-826l_firmware 1.00 b23
... and 8 more
Published Sep 21, 2017
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026