← back
CVE-2019-16057

CVE-2019-16057

CVSS 9.8 CRITICALEPSS 87.2%● KEVCWE-78
Vexday Risk Score
95Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 87.2%KEV simPoC Nuclei simMetasploit Patch
Lifecycle
16 Sep 2019Published on NVD
15 Apr 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

The login manager script in D-Link DNS-320 devices allows attackers to run arbitrary commands on the device without authentication. This gives complete control over the storage device and its data.

Technical detail

The login_mgr.cgi endpoint is vulnerable to OS command injection (CWE-78) via improper input validation. An unauthenticated remote attacker can inject shell commands through user-controlled parameters, leading to arbitrary code execution with device privileges. Affected versions: D-Link DNS-320 through 2.05.B10.

Summary generated and translated by AI from the official description.
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.cystack.net/d-link-dns-320-rce/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16057https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf