Vulnerability Details CVE-2019-16920
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.943
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
Proposed Action
Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.
Ransomware Campaign
Unknown
References
- https://fortiguard.com/zeroday/FG-VD-19-117
- https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
- https://www.kb.cert.org/vuls/id/766427
- https://www.seebug.org/vuldb/ssvid-98079
- https://fortiguard.com/zeroday/FG-VD-19-117
- https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
- https://www.kb.cert.org/vuls/id/766427
- https://www.seebug.org/vuldb/ssvid-98079
Products affected by CVE-2019-16920
-
cpe:2.3:h:dlink:dap-1533:-
-
cpe:2.3:h:dlink:dhp-1565:ax
-
cpe:2.3:h:dlink:dir-615:-
-
cpe:2.3:h:dlink:dir-652:ax
-
cpe:2.3:h:dlink:dir-655:cx
-
cpe:2.3:h:dlink:dir-825:-
-
cpe:2.3:h:dlink:dir-835:-
-
cpe:2.3:h:dlink:dir-855l:-
-
cpe:2.3:h:dlink:dir-862l:-
-
cpe:2.3:h:dlink:dir-866l:ax
-
cpe:2.3:o:dlink:dap-1533_firmware:-
-
cpe:2.3:o:dlink:dhp-1565_firmware:-
-
cpe:2.3:o:dlink:dhp-1565_firmware:1.01
-
cpe:2.3:o:dlink:dir-615_firmware:-
-
cpe:2.3:o:dlink:dir-652_firmware:-
-
cpe:2.3:o:dlink:dir-655_firmware:-
-
cpe:2.3:o:dlink:dir-655_firmware:3.02b05
-
cpe:2.3:o:dlink:dir-825_firmware:-
-
cpe:2.3:o:dlink:dir-835_firmware:-
-
cpe:2.3:o:dlink:dir-855l_firmware:-
-
cpe:2.3:o:dlink:dir-862l_firmware:-
-
cpe:2.3:o:dlink:dir-866l_firmware:-
-
cpe:2.3:o:dlink:dir-866l_firmware:1.03b04