CVE-2019-17506
published 2019-10-11CVE-2019-17506: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.30%
99.0th percentile
There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dlink | dir-817lw_a1_firmware | — | — |
| dlink | dir-868l_b1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)"; flow:established,to_server; http.request_line; content:"GET /getcfg.php?"; startswith; http.request_body; content:"SERVICES|3d|DEVICE.ACCOUNT"; startswith; fast_pattern; content:"|25|0AAUTHORIZED_GROUP"; pcre:"/^(?:\x3d|\x253[Dd])1/R"; reference:cve,2019-17506; reference:url,github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot; classtype:attempted-admin; sid:2063278; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2019_17506, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →POST request to /getcfg.php with body containing SERVICES=DEVICE.ACCOUNT and AUTHORIZED_GROUP=1%0a (URL-encoded newline injection) bypasses authentication and discloses credentials. ↗
- →Successful exploitation returns HTTP 200 with response body containing both '<NAME>' and 'DEVICE.ACCOUNT' strings. ↗
- →Exploit traffic uses Content-Type: text/xml header on the POST request to /getcfg.php — monitor for this unusual combination on router management interfaces. ↗
- →Snort/Suricata SID 2063278 (ET rule) detects GET variant: looks for 'GET /getcfg.php?' in request line AND 'SERVICES=DEVICE.ACCOUNT' at start of body AND '%0AAUTHORIZED_GROUP' with value '1'.
- →The %0a (URL-encoded newline) in AUTHORIZED_GROUP=1%0a is the key injection character — alert on any request to getcfg.php containing this pattern regardless of HTTP method.
- ·Affected devices are D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 only — scope detection rules to these specific firmware versions to reduce false positives. ↗
- ·The ET Snort rule (SID 2063278) is written for the GET method variant; the Nuclei template uses POST — ensure detection coverage includes both HTTP methods against /getcfg.php.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r9jg-89wp-76vr: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2
ghsa_unreviewed·2022-05-24
CVE-2019-17506 [HIGH] GHSA-r9jg-89wp-76vr: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2
There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
VulnCheck
D-Link dir-868l_b1_firmware Missing Authentication for Critical Function
vulncheck·2019·CVSS 9.8
CVE-2019-17506 [CRITICAL] D-Link dir-868l_b1_firmware Missing Authentication for Critical Function
D-Link dir-868l_b1_firmware Missing Authentication for Critical Function
There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
Affected: D-Link dir-868l_b1_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2019-17506; https://dashboard.sh
Suricata
ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)
suricata·2025-07-02·CVSS 9.8
CVE-2019-17506 [CRITICAL] ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)
ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)"; flow:established,to_server; http.request_line; content:"GET /getcfg.php?"; startswith; http.request_body; content:"SERVICES|3d|DEVICE.ACCOUNT"; startswith; fast_pattern; content:"|25|0AAUTHORIZED_GROUP"; pcre:"/^(?:\x3d|\x253[Dd])1/R"; reference:cve,2019-17506; reference:url,github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot; classtype:attempted-admin; sid:2063278; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2019_17506, deployment Perimeter, deployment Internal, performance_impact Low,
Nuclei
D-Link DIR-868L/817LW - Information Disclosure
nuclei·CVSS 9.8
CVE-2019-17506 [CRITICAL] D-Link DIR-868L/817LW - Information Disclosure
D-Link DIR-868L/817LW - Information Disclosure
D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers are vulnerable to information disclosure vulnerabilities because certain web interfaces do not require authentication. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
Template:
id: CVE-2019-17506
info:
name: D-Link DIR-868L/817LW - Information Disclosure
author: pikpikcu
severity: critical
description: |
D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers are vulnerable to information disclosure vulnerabilities because certain web interfaces do not require authentication. An attacker can get the router's user
No writeups or analysis indexed.
2019-10-11
Published
Exploited in the wild