A vulnerability was found in D-Link DSL-2750B. It has been rated as critical. This issue affects an unknown functionality of the file login.cgi. The manipulation of the argument cli with an unknown input leads to a command injection vulnerability. Using CWE to declare the problem leads to CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

The weakness was released 10/19/2022. It is possible to read the advisory at seclists.org. The identification of this vulnerability is CVE-2016-20017. Technical details as well as a public exploit are known. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

The exploit is available at exploit-db.com. It is declared as functional. We expect the 0-day to have been worth approximately $5k-$25k. The CISA Known Exploited Vulnerabilities Catalog lists this issue since 01/08/2024 with a due date of 01/29/2024:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Upgrading to version 1.05 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (44760).

Productinfo

Vendor

• D-Link

Name

• DSL-2750B

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion