cbcvebase.
CVE-2019-17506
published 2019-10-11

CVE-2019-17506: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.30%
99.0th percentile
There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.

Affected

2 ranges
VendorProductVersion rangeFixed in
dlinkdir-817lw_a1_firmware
dlinkdir-868l_b1_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/getcfg.php
commandSERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)"; flow:established,to_server; http.request_line; content:"GET /getcfg.php?"; startswith; http.request_body; content:"SERVICES|3d|DEVICE.ACCOUNT"; startswith; fast_pattern; content:"|25|0AAUTHORIZED_GROUP"; pcre:"/^(?:\x3d|\x253[Dd])1/R"; reference:cve,2019-17506; reference:url,github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot; classtype:attempted-admin; sid:2063278; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2019_17506, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • POST request to /getcfg.php with body containing SERVICES=DEVICE.ACCOUNT and AUTHORIZED_GROUP=1%0a (URL-encoded newline injection) bypasses authentication and discloses credentials.
  • Successful exploitation returns HTTP 200 with response body containing both '<NAME>' and 'DEVICE.ACCOUNT' strings.
  • Exploit traffic uses Content-Type: text/xml header on the POST request to /getcfg.php — monitor for this unusual combination on router management interfaces.
  • Snort/Suricata SID 2063278 (ET rule) detects GET variant: looks for 'GET /getcfg.php?' in request line AND 'SERVICES=DEVICE.ACCOUNT' at start of body AND '%0AAUTHORIZED_GROUP' with value '1'.
  • The %0a (URL-encoded newline) in AUTHORIZED_GROUP=1%0a is the key injection character — alert on any request to getcfg.php containing this pattern regardless of HTTP method.
  • ·Affected devices are D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 only — scope detection rules to these specific firmware versions to reduce false positives.
  • ·The ET Snort rule (SID 2063278) is written for the GET method variant; the Nuclei template uses POST — ensure detection coverage includes both HTTP methods against /getcfg.php.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.