CVE-2024-0769
Published: 21 January 2024
Summary
CVE-2024-0769 is a medium-severity Path Traversal (CWE-22) vulnerability in Dlink Dir-859 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-0769 is a path traversal vulnerability, tracked as CWE-22, that affects the unsupported D-Link DIR-859 firmware version 1.06B01. The flaw resides in the HTTP POST Request Handler component within the file /hedwig.cgi, where the service argument can be manipulated with a crafted input such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml to traverse directories.
An unauthenticated remote attacker can send a specially formed HTTP POST request to read arbitrary files on the device, resulting in limited information disclosure as reflected in the CVSS 5.3 score. The vulnerability was publicly disclosed with a working exploit and assigned VDB-251666.
D-Link has confirmed the DIR-859 is end-of-life, issued an advisory (SAP10371) stating the product is no longer supported, and recommends immediate retirement and replacement. The EPSS score stands at 0.7676 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16557
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation…
more
of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
- CWE(s)
- KEV Date Added
- 25 June 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing router web interface (/hedwig.cgi) enables exploitation of public-facing application (T1190) for direct volume access to read arbitrary local files (T1006), as explicitly mapped by MITRE ATT&CK in advisories.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement or isolation of unsupported system components such as the EOL D-Link DIR-859 firmware that can no longer receive patches for the path-traversal flaw.
Mandates validation of untrusted input (the service argument to hedwig.cgi) to reject path-traversal sequences before they can be used to read arbitrary files.
Enforces access-control decisions on the HTTP POST handler so that unauthenticated requests cannot traverse directories and retrieve sensitive configuration files.