Multiple D-Link routers vulnerable to remote command execution


Multiple D-Link routers are vulnerable to unauthenticated remote command execution.


Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:

  1. The /apply_sec.cgi code is exposed to unauthenticated users.
  2. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.

Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:

    • DIR-655
    • DIR-866L
    • DIR-652
    • DHP-1565
    • DIR-855L
    • DAP-1533
    • DIR-862L
    • DIR-615
    • DIR-835

We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.


By performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.


The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.
Replace affected devices

Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.



This vulnerability was coordinated and publicly disclosed by Fortinet’s FortiGuard Labs.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2019-16920
Date Public:2019-10-03
Date First Published:2019-10-23
Date Last Updated:2019-10-25 11:45 UTC
Document Revision:12

Leave a Reply

Your email address will not be published. Required fields are marked *