CVE-2022-28958 was initially reported as a remote code execution (RCE) vulnerability in the D-Link DIR816L_FW206b01 firmware via the value parameter at shareport.php. This vulnerability, if real, would have posed a significant security risk, allowing unauthorized remote users to execute arbitrary code on the affected device.

However, further investigation into CVE-2022-28958 revealed that the vulnerability did not actually exist. Tests conducted on various firmware versions, including the reportedly vulnerable version 2.06b1, found no evidence of the vulnerability. Moreover, the original researcher who reported the vulnerability did not provide supporting evidence.

The CVE has been marked as REJECTED by the CVE List, retracted by the Certified Naming Authority that originally vetted and published the CVE, and CISA has removed the vulnerability from their catalog of known exploited vulnerabilities.

In response to these findings, GreyNoise researchers made the call to pull their D-Link DIR-816 tag for CVE-2022-28958. This action aligns with GreyNoise's commitment to providing the cybersecurity community with accurate and reliable threat intelligence.

The case of CVE-2022-28958 serves as a reminder of the importance of thorough and rigorous vulnerability verification. Incorrectly reported vulnerabilities can lead to unnecessary alarm and resource allocation in the cybersecurity community. They can also undermine trust in the reporting and cataloging systems that are crucial for effective vulnerability management.

In this context, the work of organizations like GreyNoise Intelligence and CISA is invaluable. By investigating reported vulnerabilities and making informed decisions based on their findings, they help ensure that the cybersecurity community can focus its efforts on real and present threats.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account