CVE-2019-16057
Published: 16 September 2019
Summary
CVE-2019-16057 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dns-320 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2019-16057 is an OS command injection flaw (CWE-78) in the login_mgr.cgi script of D-Link DNS-320 network-attached storage devices running firmware versions through 2.05.B10. It received a CVSS 3.1 base score of 9.8, driven by network attack vector, low complexity, and no requirements for authentication or user interaction.
Remote attackers can supply crafted input to the script to execute arbitrary operating-system commands on the device. This grants full read, write, and control capabilities, resulting in complete compromise of confidentiality, integrity, and availability.
The issue is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation. Public references include detailed technical write-ups of the remote-code-execution path and an FTC enforcement action against D-Link that references the affected product line.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-6920
Vulnerability details
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
- CWE(s)
- KEV Date Added
- 15 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to login_mgr.cgi, blocking the crafted OS command payloads that enable unauthenticated RCE.
Enforces authentication and authorization checks before any script execution, eliminating the no-authentication path used by the vulnerability.
Restricts network access to the device's web interface, limiting exposure of the vulnerable login_mgr.cgi endpoint from untrusted sources.