cbcvebase.
CVE-2024-23624
published 2024-01-26

CVE-2024-23624: A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
25.99%
97.7th percentile
A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
d-linkdap-1650<= 1.04B01

Detection & IOCsextracted from sources · hover to see the quote

path/gena.cgi
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link gena.cgi service Parameter Command Injection Attempt (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621)"; flow:established,to_server; content:"SUBSCRIBE /gena.cgi|3f|service|3d|"; fast_pattern; depth:28; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"NT|3a 20|"; content:"Callback|3a 20|"; reference:cve,2019-17621; reference:cve,2025-13562; reference:cve,2024-23624; classtype:attempted-admin; sid:2066991; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_23, cve CVE_2019_17621, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic uses HTTP SUBSCRIBE method targeting /gena.cgi with a 'service' query parameter; look for shell metacharacters (;, newline, backtick, pipe, $) injected into the service parameter value.
  • Exploit requests also contain both 'NT:' and 'Callback:' HTTP headers, consistent with UPnP SUBSCRIBE abuse; filter on their co-presence with the malicious service parameter.
  • The vulnerability is exploitable without authentication and results in root-level command execution; treat any successful SUBSCRIBE to /gena.cgi from an external source as critical.
  • Traffic is plaintext (not TLS); deploy detection at the network perimeter and internally to catch lateral movement.
  • ·The Snort/ET rule covers three CVEs simultaneously (CVE-2025-13562, CVE-2024-23624, CVE-2019-17621) against D-Link gena.cgi; tune or split the rule if per-CVE fidelity is required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.