What happened

CISA added CVE-2022-40799 (D-Link DNR-322L) to the Known Exploited Vulnerabilities catalog, elevating it to “confirmed exploited in the wild” status CISA KEV. The entry describes a “download of code without integrity check” vulnerability that allows an authenticated attacker to execute OS-level commands on the device CISA KEV. The catalog notes the product may be end-of-life/end-of-service and advises discontinuing use if mitigations are unavailable CISA KEV.

CISA’s listing ties the weakness to CWE-494 “Download of Code Without Integrity Check,” which is consistent with the NVD classification for this CVE NVD CVE-2022-40799. The CVE record on MITRE also tracks the identifier and affected product as D-Link DNR-322L MITRE CVE record.

CISA’s required action is explicit: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue the product if mitigations are unavailable CISA KEV. The KEV entry’s timeline states a date added of 2025-08-05 with an agency due date of 2025-08-26 for remediation tracking CISA KEV.

Why it matters

Inclusion in the KEV catalog means exploitation has been observed, so vulnerable DNR-322L units should be treated as active risk immediately CISA KEV. The flaw enables authenticated attackers to run OS commands on the recorder, which is device-level compromise with potential lateral movement implications inside the local network CISA KEV. Because this class of bug stems from downloading code without integrity verification, it inherently allows tampering and arbitrary code execution if that download path is abused NVD CVE-2022-40799.

Operationally, EoL/EoS hardware that no longer receives security updates should not be exposed or retained in production environments, and CISA explicitly recommends discontinuation when mitigations are unavailable CISA KEV. The underlying weakness is codified as CWE-494, where absence of cryptographic integrity checks or signature validation enables code substitution attacks CWE-494.

Technical detail

The vulnerability is categorized as CWE-494 “Download of Code Without Integrity Check,” where software retrieves code without verifying authenticity or integrity prior to execution NVD CVE-2022-40799. In practical terms, any code-fetch mechanism that lacks signature validation or a robust integrity check can be coerced to ingest attacker-supplied payloads CWE-494. CISA’s description specifies that exploitation of this condition on the DNR-322L allows an authenticated attacker to execute OS-level commands on the device CISA KEV.

The affected product identified for this CVE is the D-Link DNR-322L, as reflected in both the NVD and MITRE CVE records NVD CVE-2022-40799. The KEV entry associates the issue with active exploitation, reinforcing that the attack path is not theoretical and demands remediation priority CISA KEV. Given the KEV note on potential EoL/EoS status, organizations may not have access to security patches and should plan for device retirement CISA KEV.

Defense

Follow CISA’s required action: apply vendor mitigations if available, follow applicable BOD 22-01 guidance for cloud services, or discontinue use where mitigations don’t exist CISA KEV. Treat all DNR-322L units as at-risk until they are fully remediated or removed, given the KEV’s confirmation of exploitation CISA KEV. Track against the KEV timeline where applicable, noting the listed due date of 2025-08-26 for mandated environments CISA KEV.

When decommissioning is not immediately possible, isolate the device on a constrained network segment and restrict management access to known administrators while you execute the KEV-directed mitigations CISA KEV. Because the weakness stems from unverified code retrieval (CWE-494), any control that enforces code integrity or blocks untrusted downloads will reduce exposure during transition CWE-494.

Lyrie Verdict

This is an integrity failure class (CWE-494) with confirmed in-the-wild exploitation and authenticated-path OS command execution on an embedded recorder CISA KEV. Lyrie prioritizes autonomous detection for KEV-listed vulnerabilities and will flag machine-speed indicators of exploitation attempts against DNR-322L-class endpoints, aligning detection policy with the NVD/KEV identifiers for CVE-2022-40799 NVD CVE-2022-40799. In practice, we weight telemetry and enforcement toward code-fetch and execution paths on devices mapped to this CVE and escalate any authenticated execution anomalies consistent with the KEV description, without waiting for human triage CISA KEV.