CVE-2019-20501

Name of the Vulnerable Software and Affected Versions D-Link DWL-2600AP version 4.2.0.15 Rev A

Description The issue is an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface. This can be exploited by using shell metacharacters in the firmwareRestore or firmwareServerip parameter of the admin.cgi?action=upgrade endpoint, such as "/api/admin.cgi?action=upgrade".

Recommendations For D-Link DWL-2600AP version 4.2.0.15 Rev A, as a temporary workaround, consider restricting access to the admin.cgi?action=upgrade endpoint until a patch is available. Avoid using shell metacharacters in the firmwareRestore or firmwareServerip parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.