CVE-2018-5371
published 2018-01-12CVE-2018-5371: diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers…
PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
41.99%
98.5th percentile
diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | dsl-2540u_firmware | — | — |
| d-link | dsl-2640u_firmware | — | — |
| d-link | dsl-2640u_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link diag_ping.cmd ipaddr Parameter Command Injection Attempt (CVE-2018-5371)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"diag_ping.cmd|3f|"; fast_pattern; content:"ipaddr|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2018-5371; reference:cve,2018-5371; classtype:attempted-admin; sid:2065764; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_13, cve CVE_2018_5371, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP GET requests to the path 'diag_ping.cmd' with an 'ipaddr' parameter containing shell metacharacters (semicolon, newline, backtick, pipe, dollar sign) for OS command injection. ↗
- →Detect HTTP GET requests where the URI contains 'diag_ping.cmd?' followed by 'ipaddr=' and any of the following encoded or literal shell metacharacters: ; (%3B), newline (%0A), backtick (%60), pipe (%7C), or dollar sign (%24).
- →Traffic is plaintext (non-TLS); detection should be applied at the network perimeter and internally on HTTP traffic to networking equipment.
- ·Exploit requires authentication; unauthenticated scanning alone will not trigger the vulnerability. Ensure detection logic accounts for authenticated sessions. ↗
- ·Affected firmware versions are specifically IM_1.00 and ME_1.00 for DSL-2640U, and ME_1.00 for DSL-2540U. Scope detection to these device/firmware combinations to reduce false positives. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS D-Link diag_ping.cmd ipaddr Parameter Command Injection Attempt (CVE-2018-5371)
suricata·2025-11-13·CVSS 8.8
CVE-2018-5371 [HIGH] ET WEB_SPECIFIC_APPS D-Link diag_ping.cmd ipaddr Parameter Command Injection Attempt (CVE-2018-5371)
ET WEB_SPECIFIC_APPS D-Link diag_ping.cmd ipaddr Parameter Command Injection Attempt (CVE-2018-5371)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link diag_ping.cmd ipaddr Parameter Command Injection Attempt (CVE-2018-5371)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"diag_ping.cmd|3f|"; fast_pattern; content:"ipaddr|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2018-5371; reference:cve,2018-5371; classtype:attempted-admin; sid:2065764; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_13, cve CVE_2018_5371, deployment Perimeter, deployment Internal, pe
No public exploits indexed.
No writeups or analysis indexed.
2018-01-12
Published