Cyber Resilience

CVE-2019-17621

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 30 December 2019

Published
30 December 2019
Modified
07 November 2025
KEV Added
29 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9301 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-17621 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-859 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an OS command injection flaw (CWE-78) affecting the UPnP service on D-Link DIR-859 Wi-Fi routers running firmware versions 1.05 and 1.06B01 Beta01. Specifically, the /gena.cgi endpoint accepts unauthenticated HTTP SUBSCRIBE requests that can be manipulated to execute arbitrary system commands with root privileges.

An attacker with network adjacency to the device can exploit the issue remotely without authentication or user interaction by crafting a malicious SUBSCRIBE request to the UPnP service. Successful exploitation grants full root-level control over the router, enabling arbitrary command execution, configuration changes, or further lateral movement within the local network. The flaw carries a CVSS 3.1 base score of 9.8.

D-Link has published security advisories SAP10146 and SAP10147 addressing the affected router models. Public proof-of-concept code demonstrating unauthenticated remote command execution has been released via Packet Storm and technical write-ups.

EU & UK References

Vulnerability details

The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting…

more

to the local network.

CWE(s)
KEV Date Added
29 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-859 firmware
1.06b01 · ≤ 1.05b03
dlink
dir-822 firmware
≤ 2.03b01 · ≤ 3.12b04
dlink
dir-823 firmware
1.00b06 · ≤ 1.00b06
dlink
dir-865l firmware
≤ 1.07b01
dlink
dir-868l firmware
≤ 1.12b04 · ≤ 2.05b02
dlink
dir-869 firmware
1.03b02 · ≤ 1.03b02
dlink
dir-880l firmware
≤ 1.08b04
dlink
dir-890l firmware
1.11b01 · ≤ 1.11b01
dlink
dir-890r firmware
1.11b01 · ≤ 1.11b01
dlink
dir-885l firmware
≤ 1.12b05
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization requirements on the UPnP /gena.cgi endpoint, directly blocking the unauthenticated SUBSCRIBE requests that enable root command execution.

prevent

Requires validation and sanitization of all input to the UPnP service, preventing specially crafted SUBSCRIBE requests from being interpreted as OS commands.

prevent

Restricts network traffic to the UPnP service, limiting exposure of the vulnerable endpoint to only authorized adjacent hosts.

References