⚠ Actively exploited
Added to CISA KEV on 2023-06-29. Federal agencies required to patch by 2023-07-20. Required action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable..
CVE-2019-20500 — OS Command Injection in Dlink Dwl-2600ap Firmware
Severity
7.8HIGHNVD
EPSS
92.5%
top 0.27%
CISA KEV
KEV
Added 2023-06-29
Due 2023-07-20
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 5
KEV addedJun 29
KEV dueJul 20
Latest updateNov 7
CISA Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Description
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages1 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
1🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS D-Link DWL-2600AP Command Injection Attempt (CVE-2019-20499, CVE-2019-20500, CVE-2019-20501)↗2024-11-07