CVE-2019-17621

Name of the Vulnerable Software and Affected Versions D-Link DIR-818Lx versions not specified D-Link DIR-822 versions not specified D-Link DIR-823 versions not specified D-Link DIR-859 versions 1.05 through 1.06B01 Beta01 D-Link DIR-865L versions not specified D-Link DIR-868L versions not specified D-Link DIR-869 versions not specified D-Link DIR-880L versions not specified D-Link DIR-890L/R versions not specified D-Link DIR-885L/R versions not specified D-Link DIR-895L/R versions not specified

Description The issue exists due to the failure to neutralize special elements used in the operating system command. This can allow a remote attacker to execute arbitrary commands as the root user in the target system due to incorrect handling of the SUBSCRIBE request in the /gena.cgi file. The estimated number of potentially affected devices is not specified.

Recommendations For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, consider disabling access to the /gena.cgi endpoint until a patch is available. For other affected versions, at the moment, there is no information about a newer version that contains a fix for this vulnerability.