CVE-2016-20017
Published: 19 October 2022
Summary
CVE-2016-20017 is a critical-severity Command Injection (CWE-77) vulnerability in Dlink Dsl-2750B Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
D-Link DSL-2750B devices running firmware versions prior to 1.05 contain a command injection vulnerability in the login.cgi endpoint. The flaw, tracked as CVE-2016-20017 and assigned CWE-77, permits unauthenticated remote attackers to supply arbitrary commands through the cli parameter, resulting in a CVSS 3.1 score of 9.8.
An attacker with network access to the WAN or LAN interface can submit a crafted HTTP request to login.cgi and execute operating-system commands without credentials. Successful exploitation grants full control over the device, including the ability to read or modify configuration data, install persistent malware, or use the router as an entry point into attached networks.
D-Link published security announcement SAP10088 and made firmware version 1.05 available to address the issue. Public references also include exploit code on Exploit-DB and multiple Full Disclosure postings that document the injection vector.
The vulnerability was actively exploited in the wild between 2016 and 2022.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-3105
Vulnerability details
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
- CWE(s)
- KEV Date Added
- 08 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Input validation on the cli parameter of login.cgi would reject or sanitize the unsanitized command strings that enable unauthenticated OS command injection.
Access enforcement would require successful authentication before any request to login.cgi is processed, blocking the unauthenticated exploitation path.
Flaw remediation requires prompt application of the vendor firmware 1.05 that removes the command-injection vulnerability in login.cgi.