Cyber Resilience

CVE-2019-20500

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 March 2020

Published
05 March 2020
Modified
07 November 2025
KEV Added
29 June 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8990 99.6th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-20500 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dwl-2600Ap Firmware. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

D-Link DWL-2600AP devices running firmware version 4.2.0.15 Rev A contain an authenticated OS command injection vulnerability in the web interface's Save Configuration functionality. The flaw, tracked as CWE-78, allows shell metacharacters to be supplied in the configBackup or downloadServerip parameters of the admin.cgi?action=config_save endpoint, resulting in execution of arbitrary operating system commands.

An attacker who has obtained low-privileged authenticated access to the device can leverage the injection to run commands with high impact on confidentiality, integrity, and availability. The CVSS 3.1 base score of 7.8 reflects local attack vector, low attack complexity, and no user interaction requirements.

D-Link has issued a security advisory (SAP10113) that addresses the issue, and public exploit code demonstrating the vulnerability has been published. The CVE is also catalogued by CISA among known exploited vulnerabilities.

EU & UK References

Vulnerability details

D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.

CWE(s)
KEV Date Added
29 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dwl-2600ap firmware
≤ 4.2.0.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks CWE-78 OS command injection by validating or sanitizing the configBackup and downloadServerip parameters before they reach the shell in admin.cgi.

prevent

Requires prompt application of the vendor firmware patch (SAP10113) that eliminates the unauthenticated command-execution path in the Save Configuration function.

prevent

Limits the privileges of the authenticated account that reaches the vulnerable endpoint, reducing the impact of any commands that are successfully injected.

References