CVE-2022-40799 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2022-11-29

Added to CISA KEV: 2025-08-05 980 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update D-Link DNR-322L firmware to version newer than 2.60B15 if available, or isolate devices from internet if no patch exists
Implement network segmentation to restrict internet access to video surveillance infrastructure
Monitor authentication logs and backup configuration access for suspicious activity
Consider replacing end-of-life D-Link devices with supported alternatives

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2022-40799 is a security vulnerability affecting the D-Link DNR-322L network video recorder (NVR) ^[2]. It is officially recognized by CISA as a Known Exploited Vulnerability (KEV), meaning there is evidence of it being actively exploited in the wild ^[1].

Vulnerability Overview

Nature of Vulnerability: The issue is classified as a "Download of Code Without Integrity Check" (often resulting in data integrity failure) within the device's "Backup Config" functionality ^[2] ^[1].
Impact: Successful exploitation allows an attacker to execute OS-level commands on the affected device ^[2]. This effectively grants the attacker full control over the NVR.

Exploitation Requirements

Authentication: The vulnerability requires the attacker to be authenticated to the device to trigger the exploit ^[2].
Access: It is typically exploited via the network interface, as it targets the device's configuration management features.

Threat Landscape and Usage

Active Exploitation: CISA added this vulnerability to its KEV catalog in August 2025, confirming that it is being actively used by malicious actors in the wild ^[1].
Targeted Attacks: While specific attribution to named ransomware groups is limited, the vulnerability is noted as a point of concern for organizations using D-Link equipment, and such vulnerabilities are frequently leveraged by actors to gain initial access or maintain persistence within a network ^[3] ^[1].

Affected Versions and Mitigation

Affected Versions: The vulnerability affects D-Link DNR-322L firmware versions 2.60B15 and earlier ^[2].
Mitigation: Organizations using this hardware should check for the latest firmware updates provided by the manufacturer. Given its inclusion in the CISA KEV catalog, federal agencies and organizations following similar security standards are required to remediate this vulnerability to reduce significant risk to their enterprise ^[1]. If a patch is unavailable, isolating the device from public-facing networks is a critical defensive measure.

Sources

CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk…
NVD - CVE-2022-40799
An official website of the United States government NVD MENU ... This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ... CVE-2022-40799 Detail. Description. Data Integrity Failure in 'Backup Co…
Byer-Nichols Threat Brief Cybersecurity Data For
Amongst ransomware actors, Qilin has solidified its position in first place, growing from 13% to just over 20% of attacks. ... BlackNevas, a crypto-ransomware actor also known as Trial_Recovery, while first seen in September 2024, is notable for its recent reappearance after a hiatus of several mont…

🔴 CVE-2022-40799