D-Link DIR-859 1.06B01 HTTP POST Request /hedwig.cgi service path traversal

Summaryinfo

A vulnerability, which was classified as critical, was found in D-Link DIR-859 1.06B01. This affects an unknown function of the file /hedwig.cgi of the component HTTP POST Request Handler. Such manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is documented as CVE-2024-0769. The attack can be executed remotely. Additionally, an exploit exists. It is suggested to disable the affected component. Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Detailsinfo

A vulnerability was found in D-Link DIR-859 1.06B01 (Router Operating System). It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input value ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality.

The weakness was released 01/20/2024 by Françoa Taffarel (exord26) with Lab-C2DC-ITA. The advisory is available at github.com. This vulnerability is handled as CVE-2024-0769. Technical details as well as a public exploit are known. This vulnerability is assigned to T1006 by the MITRE ATT&CK project.

The exploit is available at github.com. It is declared as attacked. As 0-day the estimated underground price was around $5k-$25k. Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. The vulnerability scanner Nessus provides a plugin with the ID 241294 (DLink DIR-859 1.05 & 1.06B01 Path Traversal), which helps to determine the existence of the flaw in a target environment. This issue was added on 06/25/2025 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 07/16/2025:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

The best possible mitigation is suggested to be disabling the affected component. The advisory contains the following remark:

The DIR-859, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle. D-Link US recommends D-Link devices that have reached EOL/EOS, to be retired and replaced. Please contact your regional office for recommendations (LINK).

As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease. Please read information and recommendations below.

The vulnerability is also documented in the vulnerability database at Tenable (241294). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Router Operating System

Vendor

• D-Link

Name

• DIR-859

Version

• 1.06B01

License

• commercial

Support

• end of life

Website

• Vendor: https://www.dlink.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #267965: D-LINK DIR-859 RevA_FW_Patch_v1.06B01 Improper Input Validation, Improper Privilege Management (by francoa.taffarel)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion