An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the ntp_server parameter in an ntp_sync.cgi POST request.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9122
Reference (s):
- https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-825/command%20injection.md