CVE-2016-20017
published 2022-10-19CVE-2016-20017: D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
60.43%
99.0th percentile
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dlink | dsl-2750b_firmware | < 1.05 | 1.05 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.cgi?cli="; fast_pattern; http.uri.raw; content:"?cli="; content:"%27"; distance:0; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; classtype:attempted-admin; sid:2049119; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit requests use HTTP GET to /login.cgi with a 'cli' parameter containing a URL-encoded single-quote (%27) for command injection; match on both the URI path and the encoded quote character. ↗
- →The injected command is passed directly to the 'ayecli' binary on the device; process execution of 'ayecli' with unexpected arguments is a strong on-device indicator. ↗
- →For Korenix/Edimax variants, watch for HTTP POST to /formSysCmd with a body containing 'sysCmd=' followed by shell metacharacters (;, newline \x0a, backtick, pipe |, or $) — all URL-encoded variants should be covered.
- →Exploitation is unauthenticated and remote — no session or credentials are required before the malicious request is sent; perimeter and internal network sensors should both be deployed. ↗
- ·The Metasploit module targets firmware versions 1.01–1.03, but NVD and CISA scope the vulnerability to all versions before 1.05; ensure detection coverage is not limited to the narrower firmware range. ↗
- ·The second Snort rule (sid:2049120) covers a related but distinct attack surface (Korenix JetWave / Edimax formSysCmd endpoint) and is tagged with both CVE-2016-20017 and CVE-2025-14094; treat it as a separate detection surface from the D-Link login.cgi vector.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gf4-mg8f-6224: D-Link DSL-2750B devices before 1
ghsa_unreviewed·2022-10-19
CVE-2016-20017 [CRITICAL] CWE-77 GHSA-4gf4-mg8f-6224: D-Link DSL-2750B devices before 1
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
VulnCheck
D-Link DSL-2750B Devices Command Injection Vulnerability
vulncheck·2016·CVSS 9.8
CVE-2016-20017 [CRITICAL] CWE-77 D-Link DSL-2750B Devices Command Injection Vulnerability
D-Link DSL-2750B Devices Command Injection Vulnerability
D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.
Affected: D-Link DSL-2750B Devices
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://www.welivesecurity.com/wp-content/uploads/2022/10/eset_threat_report_t22022.pdf; https://www.cve.org/CVERecord?id=CVE-2016-20017; https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/; https://www.welivesecurity.com/wp-content/uploads/2023/02/eset_threat_r
CISA
D-Link DSL-2750B Devices Command Injection Vulnerability
cisa·2024-01-08·CVSS 9.8
CVE-2016-20017 [CRITICAL] CWE-77 D-Link DSL-2750B Devices Command Injection Vulnerability
Vulnerability: D-Link DSL-2750B Devices Command Injection Vulnerability
Affected: D-Link DSL-2750B Devices
D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088; https://nvd.nist.gov/vuln/detail/CVE-2016-20017
Remediation Due Date: 2024-01-29
Suricata
ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)
suricata·2023-11-08·CVSS 9.8
CVE-2016-20017 [CRITICAL] ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)
ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.cgi?cli="; fast_pattern; http.uri.raw; content:"?cli="; content:"%27"; distance:0; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; classtype:attempted-admin; sid:2049119; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, mitre_tactic_id TA0008
Suricata
ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
suricata·2023-11-08·CVSS 9.8
CVE-2016-20017 [CRITICAL] ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; http.request_body; content:"sysCmd|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; reference:cve,2025-14094; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md; classtype:attempted-admin; sid:2049120; rev:3; metadata:affected_produ
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Bleepingcomputer
CISA warns agencies of fourth flaw used in Triangulation spyware attacks
blogs_bleepingcomputer·2024-01-09·CVSS 5.3
[MEDIUM] CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild. It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." reads CISA's notice .
CISA has given federal agencies until January 29 to patch the six actively
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
https://seclists.org/fulldisclosure/2016/Feb/53https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088https://www.exploit-db.com/exploits/44760https://seclists.org/fulldisclosure/2016/Feb/53https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088https://www.exploit-db.com/exploits/44760https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-20017
2022-10-19
Published
2024-01-08
Added to CISA KEV
Exploited in the wild