The product:D-Link DIR-600 Latest version(July 28, 2023):2.18 B5 Affected version:2.18 B5 <= Manufacturer's website information:https://www.dlink.com/ Firmware download address:https://www.dlinktw.com.tw/techsupport/ProductInfo.aspx?m=DIR-600
In soap.cgi, since the parameters of the request message are not checked for security, the command is directly concatenated and passed into the system function, so that the attacker can implement command injection by constructing message parameters.
The POC video is in the attach