CVE-2024-23624
published 2024-01-26CVE-2024-23624: A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
25.99%
97.7th percentile
A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | dap-1650 | <= 1.04B01 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)"; flow:established,to_server; content:"SUBSCRIBE /gena.cgi|3f|service|3d|"; fast_pattern; depth:28; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"NT|3a 20|"; content:"Callback|3a 20|"; reference:cve,2019-17621; reference:cve,2025-13562; reference:cve,2024-23624; classtype:attempted-admin; sid:2066991; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_23, cve CVE_2019_17621, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic uses HTTP SUBSCRIBE method targeting /gena.cgi with a 'service' query parameter; look for shell metacharacters (;, newline, backtick, pipe, $) injected into the service parameter value.
- →Exploit requests also contain both 'NT:' and 'Callback:' HTTP headers, consistent with UPnP SUBSCRIBE abuse; filter on their co-presence with the malicious service parameter.
- →The vulnerability is exploitable without authentication and results in root-level command execution; treat any successful SUBSCRIBE to /gena.cgi from an external source as critical. ↗
- →Traffic is plaintext (not TLS); deploy detection at the network perimeter and internally to catch lateral movement.
- ·The Snort/ET rule covers three CVEs simultaneously (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621) against D-Link gena.cgi; tune or split the rule if per-CVE fidelity is required.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)
suricata·2026-01-23·CVSS 9.8
CVE-2019-17621 [CRITICAL] ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)
ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)"; flow:established,to_server; content:"SUBSCRIBE /gena.cgi|3f|service|3d|"; fast_pattern; depth:28; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"NT|3a 20|"; content:"Callback|3a 20|"; reference:cve,2019-17621; reference:cve,2025-13562; reference:cve,2024-23624; classtype:attempted-admin; sid:2066991; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01
No public exploits indexed.
No writeups or analysis indexed.
2024-01-26
Published