cbcvebase.
CVE-2016-20017
published 2022-10-19

CVE-2016-20017: D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
60.43%
99.0th percentile
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

Affected

1 ranges
VendorProductVersion rangeFixed in
dlinkdsl-2750b_firmware< 1.051.05

Detection & IOCsextracted from sources · hover to see the quote

url/login.cgi?cli=
path/login.cgi
processayecli
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.cgi?cli="; fast_pattern; http.uri.raw; content:"?cli="; content:"%27"; distance:0; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; classtype:attempted-admin; sid:2049119; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit requests use HTTP GET to /login.cgi with a 'cli' parameter containing a URL-encoded single-quote (%27) for command injection; match on both the URI path and the encoded quote character.
  • The injected command is passed directly to the 'ayecli' binary on the device; process execution of 'ayecli' with unexpected arguments is a strong on-device indicator.
  • For Korenix/Edimax variants, watch for HTTP POST to /formSysCmd with a body containing 'sysCmd=' followed by shell metacharacters (;, newline \x0a, backtick, pipe |, or $) — all URL-encoded variants should be covered.
  • Exploitation is unauthenticated and remote — no session or credentials are required before the malicious request is sent; perimeter and internal network sensors should both be deployed.
  • ·The Metasploit module targets firmware versions 1.01–1.03, but NVD and CISA scope the vulnerability to all versions before 1.05; ensure detection coverage is not limited to the narrower firmware range.
  • ·The second Snort rule (sid:2049120) covers a related but distinct attack surface (Korenix JetWave / Edimax formSysCmd endpoint) and is tagged with both CVE-2016-20017 and CVE-2025-14094; treat it as a separate detection surface from the D-Link login.cgi vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.