CVE-2022-40799

What is the D-Link DNR-322L?

The D-Link DNR-322L is a Cloud Network Video Recorder (NVR) — an embedded Linux device designed for recording and managing IP camera feeds in small office and home security deployments. The device provides a web-based management interface and supports remote cloud access for video playback and management. Like most consumer NVR devices, the DNR-322L is designed to be left powered on continuously and is often configured for internet-accessible remote viewing. D-Link has designated the DNR-322L as end-of-life (EoL) — no firmware patches will be released for newly discovered vulnerabilities, including CVE-2022-40799. Deployed EoL NVR devices represent a persistent unpatched attack surface, particularly when internet-facing.

Overview

CVE-2022-40799 is a download of code without integrity check vulnerability (CWE-494) in the D-Link DNR-322L cloud network video recorder that allows an authenticated attacker with low privileges to cause the device to download and execute unsigned code, achieving OS-level command execution. D-Link has not released a patch — the device is end-of-life. CISA added CVE-2022-40799 to the KEV catalog in August 2025, nearly three years after NVD publication, reflecting continued exploitation of deployed EoL D-Link NVR devices.

Affected Versions

Technical Details

Download of code without integrity check (CWE-494) occurs when a device downloads code from a remote source and executes it without verifying that the code is authentic and unmodified. In the D-Link DNR-322L, an authenticated attacker with low-privilege access to the web management interface can:

1. Authenticate with low-privilege credentials — any valid user account on the NVR (including default credentials, if unchanged) suffices
2. Trigger a firmware or module download — invoke a management function that causes the device to fetch code from an attacker-controlled URL; the DNR-322L does not verify the digital signature or integrity of the downloaded content
3. Execute the downloaded code — the device installs and executes the unsigned code as part of its firmware update or module loading process, achieving OS-level command execution in the NVR's Linux environment

With OS command execution on the NVR, an attacker can access camera feeds, modify NVR configuration, establish persistent backdoors in flash storage, pivot to connected network cameras, or use the device as a network foothold.

Discovery

CVE-2022-40799 was published to NVD in November 2022. D-Link disclosed no patch would be provided given the DNR-322L's EoL status. The nearly 3-year gap between publication and the August 2025 CISA KEV addition reflects ongoing exploitation of deployed legacy D-Link NVR devices in the field.

Exploitation Context

EoL consumer and small-business NVR devices are a persistent long-tail exploitation target:

• NVRs are always-on devices with persistent internet access for remote viewing
• Consumer users rarely apply firmware updates and are unaware of EoL status
• Default or unchanged credentials are common on deployed home NVR devices
• A compromised NVR provides access to IP camera feeds (privacy violation, physical security intelligence) and a network foothold for lateral movement
• NVR devices are frequently part of the same LAN as workstations and servers, enabling pivot attacks

The 3-year KEV lag reflects a device category where active exploitation is difficult to attribute to specific incidents — broad scanning-based exploitation of EoL NVR devices tends to be discovered through telemetry from internet scanners and honeypots rather than discrete incidents.

Remediation

1. Replace the DNR-322L — no patch is available for CVE-2022-40799; replacement with a supported NVR device is the only complete remediation. D-Link recommends replacing EoL devices with current supported models.
2. Isolate from internet access — if replacement is deferred, immediately remove the DNR-322L's internet-facing access; disable UPnP port forwarding, remove port-forward rules on the router, and disable D-Link's cloud remote access feature.
3. Change default credentials — change the NVR's administrator password to a strong unique credential to remove the low-privilege access prerequisite.
4. Segment from internal network — place the NVR on an isolated VLAN with no access to workstations, servers, or other sensitive network segments; restrict to camera-only network access.
5. Disable remote access features — disable cloud-based remote viewing and any external management access; limit access to trusted local LAN IP addresses only.