D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter.
https://www.nccgroup.trust/contentassets/7188fe7f130846ffa31827fc1661d120/commandinjection.txt