← back
CVE-2019-20500

CVE-2019-20500

CVSS 7.8 HIGHEPSS 96.1%● KEVCWE-78
In short

An authenticated attacker can execute arbitrary operating system commands on a D-Link DWL-2600AP wireless access point by injecting shell metacharacters through the configuration save feature in the web interface.

Technical detail

CWE-78 OS command injection exists in admin.cgi when processing the configBackup or downloadServerip parameters during config_save operations. An authenticated attacker can inject shell metacharacters to achieve arbitrary command execution with device privileges. The vulnerability requires valid credentials and affects D-Link DWL-2600AP firmware version 4.2.0.15 Rev A.

Summary generated and translated by AI from the official description.
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.exploit-db.com/exploits/46841unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10113https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-20500https://www.exploit-db.com/exploits/46841