← back
CVE-2016-20017

CVE-2016-20017

CVSS 9.8 CRITICALEPSS 60.4%● KEVCWE-77
In short

D-Link DSL-2750B routers before version 1.05 have a critical flaw that allows anyone on the internet to run arbitrary commands on the device without needing a password, by sending specially crafted requests to the login page.

Technical detail

CWE-77 command injection vulnerability in login.cgi accepts unsanitized input via the cli parameter, allowing unauthenticated remote code execution on affected D-Link DSL-2750B firmware versions prior to 1.05. Attack requires only network access to the device's web interface and no authentication credentials.

Summary generated and translated by AI from the official description.
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.exploit-db.com/exploits/44760unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://seclists.org/fulldisclosure/2016/Feb/53https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-20017https://www.exploit-db.com/exploits/44760