OpenCVE

D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dlink	Dsl-2750b Dsl-2750b Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dsl-2750b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dsl-2750b:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://seclists.org/fulldisclosure/2016/Feb/53
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088
https://www.exploit-db.com/exploits/44760

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-19T00:00:00

Updated: 2024-08-06T03:47:35.074Z

Reserved: 2022-10-19T00:00:00

Link: CVE-2016-20017

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-19T05:15:08.817

Modified: 2024-11-21T02:47:34.057

Link: CVE-2016-20017

Redhat

No data.

{"cisaActionDue": "2024-01-29", "cisaExploitAdd": "2024-01-08", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "D-Link DSL-2750B Devices Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dsl-2750b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "04123BAB-C2BE-4AF3-9A87-5BA14DB3A3F8", "versionEndExcluding": "1.05", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dsl-2750b:-:*:*:*:*:*:*:*", "matchCriteriaId": "69C4C27E-ACC8-419F-8FBA-58318C91327C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022."}, {"lang": "es", "value": "Los dispositivos D-Link DSL-2750B versiones anteriores a 1.05, permiten una inyecci\u00f3n remota de comandos no autenticados por medio del par\u00e1metro cli login.cgi, como ha sido explotado \"in the wild\" en 2016 hasta 2022"}], "id": "CVE-2016-20017", "lastModified": "2024-11-21T02:47:34.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-19T05:15:08.817", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2016/Feb/53"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44760"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2016/Feb/53"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44760"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}