Cyber Resilience

CVE-2019-16920

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 27 September 2019

Published
27 September 2019
Modified
07 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9434 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-16920 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-655 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-16920 is an unauthenticated remote code execution vulnerability arising from OS command injection (CWE-78) in the PingTest device CGI of multiple D-Link router and access-point models, including DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. An attacker supplies crafted input that is passed directly to a system command without sanitization, resulting in arbitrary command execution on the affected device.

Because the flaw is reachable over the network without authentication or user interaction, any remote attacker who can reach the web interface can trigger the injection. Successful exploitation yields full system compromise, allowing the attacker to execute arbitrary commands with the privileges of the web server process.

Public references such as FortiGuard FG-VD-19-117, CERT VU#766427, and Seebug entries document the affected firmware versions and confirm the command-injection vector, but do not detail vendor-supplied patches or configuration work-arounds within the provided source material.

EU & UK References

Vulnerability details

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker…

more

who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-655 firmware
≤ 3.02b05
dlink
dir-866l firmware
≤ 1.03b04
dlink
dir-652 firmware
all versions
dlink
dhp-1565 firmware
≤ 1.01
dlink
dir-855l firmware
all versions
dlink
dap-1533 firmware
all versions
dlink
dir-862l firmware
all versions
dlink
dir-615 firmware
all versions
dlink
dir-835 firmware
all versions
dlink
dir-825 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the PingTest CGI so that crafted parameters cannot be passed unsanitized into system commands.

prevent

Enforces authentication and authorization checks before any access to device CGI endpoints, eliminating the unauthenticated attack vector described in the CVE.

prevent

Boundary-protection mechanisms can restrict network reachability of the web-management interface, reducing the set of remote attackers able to reach the vulnerable PingTest function.

References