Cyber Resilience

CVE-2016-20017

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 19 October 2022

Published
19 October 2022
Modified
05 November 2025
KEV Added
08 January 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9209 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-20017 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dsl-2750B Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

D-Link DSL-2750B devices running firmware versions prior to 1.05 contain a command injection vulnerability in the login.cgi endpoint. The flaw, tracked as CVE-2016-20017 and assigned CWE-77, permits unauthenticated remote attackers to supply arbitrary commands through the cli parameter, resulting in a CVSS 3.1 score of 9.8.

An attacker with network access to the WAN or LAN interface can submit a crafted HTTP request to login.cgi and execute operating-system commands without credentials. Successful exploitation grants full control over the device, including the ability to read or modify configuration data, install persistent malware, or use the router as an entry point into attached networks.

D-Link published security announcement SAP10088 and made firmware version 1.05 available to address the issue. Public references also include exploit code on Exploit-DB and multiple Full Disclosure postings that document the injection vector.

The vulnerability was actively exploited in the wild between 2016 and 2022.

EU & UK References

Vulnerability details

D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

CWE(s)
KEV Date Added
08 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dsl-2750b firmware
≤ 1.05

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Input validation on the cli parameter of login.cgi would reject or sanitize the unsanitized command strings that enable unauthenticated OS command injection.

prevent

Access enforcement would require successful authentication before any request to login.cgi is processed, blocking the unauthenticated exploitation path.

prevent

Flaw remediation requires prompt application of the vendor firmware 1.05 that removes the command-injection vulnerability in login.cgi.

References