Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-20499

CWE-78 — OS Command Injection6 documents5 sources

Severity

7.8HIGH

EPSS

88.8%

top 0.48%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Dlink Dwl-2600ap Firmware

Timeline

PublishedMar 5

Latest updateNov 7

Description

D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDdlink/dwl-2600ap_firmware4.2.0.15

Patches

Patch: supportannouncement.us.dlink.com ↗Patch: supportannouncement.us.dlink.com ↗

🔴Vulnerability Details

GHSA

GHSA-9fm7-cmvm-vvjr: D-Link DWL-2600AP 4↗2022-05-24

▶

CVEList

CVE-2019-20499: D-Link DWL-2600AP 4↗2020-03-05

▶

💥Exploits & PoCs

Exploit-DB

DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)↗2020-03-31

▶

Exploit-DB

D-Link DWL-2600AP - Multiple OS Command Injection↗2019-05-14

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS D-Link DWL-2600AP Command Injection Attempt (CVE-2019-20499, CVE-2019-20500, CVE-2019-20501)↗2024-11-07

▶