CVE-2022-40799

HIGH KEV

D-Link DNR-322L <= 2.60B15 - Authenticated Remote Code Execution via Backup Config

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-40799 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 5, 2025. EIP tracks 1 public exploit from researchers including rtfmkiesel.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-40799, an authenticated remote code execution vulnerability in D-Link DNR-322L devices. The exploit leverages the lack of integrity checks in configuration backups to inject a malicious bash script into 'rc.init.sh', which executes on device reboot.

Description

Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.

Exploits (1)

gitlab WORKING POC
by rtfmkiesel · poc
https://gitlab.com/rtfmkiesel/cve-2022-40799

This repository contains a functional exploit for CVE-2022-40799, an authenticated remote code execution vulnerability in D-Link DNR-322L devices. The exploit leverages the lack of integrity checks in configuration backups to inject a malicious bash script into 'rc.init.sh', which executes on device reboot.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DNR-322L <= 2.60B15
Auth required
Prerequisites: valid credentials for the target device · network access to the device · device must be online and not in sleep mode
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.5700
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-08-05
VulnCheck KEV 2025-08-05
ENISA EUVD EUVD-2022-44065
CWE
CWE-494
Status published
Products (1)
dlink/dnr-322l_firmware < 2.60b15
Published Nov 29, 2022
KEV Added Aug 05, 2025
Tracked Since Feb 18, 2026