CVE-2019-10891
published 2019-09-06CVE-2019-10891: An issue was discovered in D-Link DIR-806 devices. There is a command injection in function hnap_main, which calls system() without checking the parameter that…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
19.44%
97.0th percentile
An issue was discovered in D-Link DIR-806 devices. There is a command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-frjj-4mjw-3gmf: D-Link DIR-806 devices allow remote attackers to execute arbitrary shell commands via a trailing substring of an HTTP header that has "SOAPAction: htt
ghsa_unreviewed·2022-05-24
CVE-2019-10891 [CRITICAL] CWE-78 GHSA-frjj-4mjw-3gmf: D-Link DIR-806 devices allow remote attackers to execute arbitrary shell commands via a trailing substring of an HTTP header that has "SOAPAction: htt
D-Link DIR-806 devices allow remote attackers to execute arbitrary shell commands via a trailing substring of an HTTP header that has "SOAPAction: http://purenetworks.com/HNAP1/GetDeviceSettings/" at the beginning.
VulnCheck
D-Link dir-806_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-10891 [CRITICAL] D-Link dir-806_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D-Link dir-806_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An issue was discovered in D-Link DIR-806 devices. There is a command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
Affected: D-Link dir-806_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/outbreak-alert/router-malware-attack; https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities
Suricata
ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)
suricata·2021-11-17·CVSS 9.8
CVE-2015-2051 [CRITICAL] ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)
ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)"; flow:established,to_server; http.uri; content:"/hnap1/"; nocase; http.header; content:"soapaction|3a 20|"; nocase; content:"http|3a 2f 2f|purenetworks|2e|com|2f|hnap1|2f|getdevicesettings"; within:60; fast_pattern; nocase; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; reference:cve,2019-10891; reference:cve,
No public exploits indexed.
Bleepingcomputer
Malware botnets exploit outdated D-Link routers in recent attacks
blogs_bleepingcomputer·2024-12-29·CVSS 9.8
CVE-2015-2051 [CRITICAL] Malware botnets exploit outdated D-Link routers in recent attacks
## Malware botnets exploit outdated D-Link routers in recent attacks
## Bill Toulas
Two botnets tracked as ‘Ficora’ and ‘Capsaicin’ have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions.
The list of targets includes popular D-Link devices used by individuals and organizations such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.
For initial access, the two pieces of malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
Once a device is compromised, attackers leverage weaknesses in in D-Link’s management interface (HNAP) and execute malicious commands through a GetDeviceSettings action.
The botnets can steal data and execute shell scripts. Attackers appear to compr
Fortinet
Botnets Continue to Target Aging D-Link Vulnerabilities | FortiGuard Labs
blogs_fortinet·2024-12-26·CVSS 9.8
[CRITICAL] Botnets Continue to Target Aging D-Link Vulnerabilities | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Botnets Continue to Target Aging D-Link Vulnerabilities
Incidents
FICORA
CAPSAICIN
Conclusion
Fortinet Protections
IOCs
URLs
Hosts
Files
By Vincent Li | December 26, 2024
Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier. D-Link DIR-806 devices. D-Link GO-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02. D-Link DIR-845L router v1.01KRb03 and before
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs noticed a spike in the activity of two different botnets in October and November of 2024. One was the Mirai variant “FICORA,” and the other was the Kaiten variant “CAPSAICIN.” These botnets are frequently spread throu
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2019-09-06
Published
Exploited in the wild