HighCISA KEVExploited in the wildPublic exploit

D-Link DIR-645 HNAP SOAPAction Command Injection

IdentifiersCVE-2015-2051CWE-78

CVE-2015-2051 is a remote command injection vulnerability in the D-Link DIR-645 Wired/Wireless Router Rev. Ax affecting firmware 1.04b12 and earlier. The flaw is exposed through the router's HNAP interface and can be triggered via a crafted GetDeviceSettings action. The provided context explicitly states that remote attackers can execute arbitrary commands through the HNAP interface, and multiple references describe the issue as an HNAP SOAPAction command injection vulnerability. In practice, exploitation involves sending a malicious SOAPAction/HNAP request to the device's web management interface, causing attacker-controlled input to be interpreted by the underlying system shell.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to execute arbitrary commands on the affected router. This can result in full compromise of the device, including unauthorized administrative control, malware installation, botnet enrollment, configuration manipulation, traffic interception or redirection, persistence, and use of the router as a pivot for further attacks or DDoS activity. The context also shows this vulnerability has been repeatedly incorporated into botnet propagation tooling and mass-scanning campaigns.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to the router's web administration and HNAP interface to trusted management networks only. Disable remote administration from the internet if not strictly required. Use firewall or ACL controls to block untrusted access to the management plane, segment affected devices from critical internal assets, and monitor for suspicious HNAP/SOAPAction requests. Where patching is not possible, remove or isolate vulnerable devices to prevent exploitation.

Remediation

Patch, then assume compromise.

Upgrade affected D-Link DIR-645 Rev. Ax devices to a firmware version newer than 1.04b12 if a vendor-fixed release is available. If no supported fixed firmware is available, replace the device with a supported model. Review vendor guidance for the DIR-645 specifically and ensure remote management and HNAP-exposed services are not left reachable from untrusted networks after upgrade.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

D-LinkDir-645hardware

D-LinkDir-645 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

fortinet threat research blogNews

Jun 3, 2026

Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs

A D-Link devices HNAP SOAPAction header command execution vulnerability included among the HTTP-based exploits used by the scanner for initial access.

fortinet threat researchNews

Jun 3, 2026

Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs

An HNAP SOAPAction header command execution vulnerability used by the malware scanner as one of several HTTP-based initial access exploits.

nuclei templates pull requestsNews

Mar 26, 2026

Add 5 KEV CVE templates (GPON, D-Link, ManageEngine, Citrix) by ElromEvedElElyon · Pull Request #15710 · projectdiscovery/nuclei-templates · GitHub

A command injection vulnerability in the HNAP SOAPAction functionality of the D-Link DIR-645.

thecyberexpress com vulnerabilitiesNews

Jan 21, 2026

EU Launches GCVE, A Decentralized Vulnerability Database

An older CVE identifier referenced as an example of historical continuity in the EU Vulnerability Database (GCVE).

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2015-2051

NVD

nvd.nist.gov/vuln/detail/CVE-2015-2051

MITRE CWE · CWE-78

cwe.mitre.org

Vendor Advisory

securityadvisories.dlink.com/security/publication.aspx?name=SAP10051

Vendor Advisory

supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10282

Third Party Advisory

exploit-db.com/exploits/37171

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2051