D-Link router exits remote execute code vulnerability and will not be patched

FortiGuardLabs researchers recently revealed that there are remote code execution vulnerabilities (CVE-2019-16920) in some models of D-Link routers. This vulnerability will affect the D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 product families.

It is understood that the vulnerability allows an attacker to execute code remotely without authentication. A hacker can send a POST HTTP request through the Ping_Test gateway structure to obtain administrator credentials for the device or install a backdoor in the device.

The researcher said, “we implement the POST HTTP Request to ‘apply_sec.cgi’ with the action ping_test.” “We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234″ command in the router server and then send the result back to our server.”

On September 22, the researchers reported this vulnerability to D-Link. However, the company said that because the affected products are close to the end of their useful life, the company will not release relevant security patches.