// For flags

CVE-2019-16920

D-Link Multiple Routers Command Injection Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

La ejecución de código remota no autenticada se presenta en productos D-Link tales como DIR-655C, DIR-866L, DIR-652, y DHP-1565. El problema se presenta cuando el atacante envía una entrada arbitraria hacia una interfaz de la puerta de enlace común del dispositivo "PingTest" que podría conllevar a una inyección común. Un atacante que activa con éxito la inyección de comando podría lograr un compromiso total del sistema. Después, se descubrió de manera independiente que estos también se ven afectados: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 y DIR-825.

Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-09-27 CVE Reserved
  • 2019-09-27 CVE Published
  • 2019-10-15 First Exploit
  • 2022-03-25 Exploited in Wild
  • 2022-04-15 KEV Due Date
  • 2024-08-05 CVE Updated
  • 2024-09-20 EPSS Updated
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dlink
Search vendor "Dlink"
 Dir-655 Firmware
Search vendor "Dlink" for product "Dir-655 Firmware"
 <= 3.02b05
Search vendor "Dlink" for product "Dir-655 Firmware" and version " <= 3.02b05"
-
Affected
in Dlink
Search vendor "Dlink"
 Dir-655
Search vendor "Dlink" for product "Dir-655"
 cx
Search vendor "Dlink" for product "Dir-655" and version "cx"
-
Safe
Dlink
Search vendor "Dlink"
 Dir-866l Firmware
Search vendor "Dlink" for product "Dir-866l Firmware"
 <= 1.03b04
Search vendor "Dlink" for product "Dir-866l Firmware" and version " <= 1.03b04"
-
Affected
in Dlink
Search vendor "Dlink"
 Dir-866l
Search vendor "Dlink" for product "Dir-866l"
 ax
Search vendor "Dlink" for product "Dir-866l" and version "ax"
-
Safe
Dlink
Search vendor "Dlink"
 Dir-652 Firmware
Search vendor "Dlink" for product "Dir-652 Firmware"
--
Affected
in Dlink
Search vendor "Dlink"
 Dir-652
Search vendor "Dlink" for product "Dir-652"
 ax
Search vendor "Dlink" for product "Dir-652" and version "ax"
-
Safe
Dlink
Search vendor "Dlink"
 Dhp-1565 Firmware
Search vendor "Dlink" for product "Dhp-1565 Firmware"
 <= 1.01
Search vendor "Dlink" for product "Dhp-1565 Firmware" and version " <= 1.01"
-
Affected
in Dlink
Search vendor "Dlink"
 Dhp-1565
Search vendor "Dlink" for product "Dhp-1565"
 ax
Search vendor "Dlink" for product "Dhp-1565" and version "ax"
-
Safe