cbcvebase.
CVE-2017-6206
published 2017-02-23

CVE-2017-6206: D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003…

PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.21%
96.5th percentile
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
dlinkwebsmart_dgs-1510_series_firmware<= 1.31.b001

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<ip>/DataStore/990_user_account.js?index=0&pagesize=10
urlhttp://<ip>/form/User_Accounts_Apply
path/DataStore/990_user_account.js
path/form/User_Accounts_Apply
commandaction=0&username=admin2&privilege=15&type=0&password=admin2
  • Detect unauthenticated GET requests to /DataStore/990_user_account.js — no session cookie or auth token required; presence of 'X-Requested-With: XMLHttpRequest' header alongside this path is a strong exploit indicator.
  • Detect unauthenticated POST requests to /form/User_Accounts_Apply with body containing 'privilege=15', indicating an attempt to create a new admin-level account without prior authentication.
  • Alert on HTTP requests to D-Link DGS-1510 devices where the Referer header is set to /www/login.html but the requested path is /DataStore/990_user_account.js or /form/User_Accounts_Apply — this pattern matches the exploit's unauthenticated access flow.
  • Flag devices running firmware before 1.31.B003 on D-Link DGS-1510 series (DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, DGS-1510-20) as vulnerable to unauthenticated information disclosure.
  • ·The exploit scripts use Python 2 (urllib2, StringIO) and hardcode the target IP as a command-line argument; the attack paths are relative to the device's HTTP management interface port (default TCP 80).
  • ·The user enumeration endpoint returns paginated results; the exploit requests the first page (index=0, pagesize=10), so full account enumeration may require iterating the index parameter.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.