Support Announcements
DIR-850L Rev. Ax/Bx, DIR-880L Rev.Ax, DIR-822 Rev. Cx :: Authenticated Command Bypass & Authenticated Remote Command Execution (RCE)



On November 1, 2018 a security researcher from CyCarrier CSIRT contacted D-Link regarding two security issues that affect the DIR-850L Hardware Rev. Ax/Bx, DIR-880L Hardware Rev.Ax, DIR-822/DIR-822-US Hardware Rev. Cx.  To identify the hardware revision, please inspect the devices label on bottom of device. 


We coordinated with the security researcher from CyCarrier CSIRT, patched and release new firmware for each of the  affected models below.


3rd Party researcher

Henry Huang from CyCarrier CSIRT


Description of Security Issue:

  • Authentication bypass
  • Authenticated RCE


This attack does require an authenticated user to the web-GUI configuration of the device.  The web-GUI configuration interface is only available on the LAN-side of the device.


WAN-side access to the web-GUI configuration is default disabled, and D-Link does not ever recommend enabling this feature.


Affected Product Models and Patches:



Model Hardware Revision Affected FW Fixed FW  Last Updated
DIR-822 Revision C1 v3.10B06 and older (lower) v3.11B01Beta


DIR-822-US Revision C1 v3.10B06 and older (lower)  v3.11B01Beta


DIR-850L All Revision A v1.21B07 and older (lower) v1.21B08Beta


DIR-850L All Revision B v2.22B02Beta and older (lower) v2.22B03Beta 12/21/2018
DIR-880L All Revision A v1.20B01Beta and older (lower) v1.20B02Beta 12/21/2018


Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.