Cyber Resilience

CVE-2024-0769

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 January 2024

Published
21 January 2024
Modified
30 October 2025
KEV Added
25 June 2025
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.7676 99.0th percentile
Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0769 is a medium-severity Path Traversal (CWE-22) vulnerability in Dlink Dir-859 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-0769 is a path traversal vulnerability, tracked as CWE-22, that affects the unsupported D-Link DIR-859 firmware version 1.06B01. The flaw resides in the HTTP POST Request Handler component within the file /hedwig.cgi, where the service argument can be manipulated with a crafted input such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml to traverse directories.

An unauthenticated remote attacker can send a specially formed HTTP POST request to read arbitrary files on the device, resulting in limited information disclosure as reflected in the CVSS 5.3 score. The vulnerability was publicly disclosed with a working exploit and assigned VDB-251666.

D-Link has confirmed the DIR-859 is end-of-life, issued an advisory (SAP10371) stating the product is no longer supported, and recommends immediate retirement and replacement. The EPSS score stands at 0.7676 with no material increase after disclosure.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation…

more

of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CWE(s)
KEV Date Added
25 June 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1006 Direct Volume Access Stealth
Adversaries may directly access a volume to bypass file access controls and file system monitoring.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing router web interface (/hedwig.cgi) enables exploitation of public-facing application (T1190) for direct volume access to read arbitrary local files (T1006), as explicitly mapped by MITRE ATT&CK in advisories.

Affected Assets

dlink
dir-859 firmware
1.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement or isolation of unsupported system components such as the EOL D-Link DIR-859 firmware that can no longer receive patches for the path-traversal flaw.

prevent

Mandates validation of untrusted input (the service argument to hedwig.cgi) to reject path-traversal sequences before they can be used to read arbitrary files.

prevent

Enforces access-control decisions on the HTTP POST handler so that unauthenticated requests cannot traverse directories and retrieve sensitive configuration files.

References