CVE-2019-20215
Description
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DIR-859 devices running firmware 1.05 and 1.06B01 Beta01 allow unauthenticated remote attackers to execute arbitrary OS commands via a crafted M-SEARCH UPnP request to the ssdpcgi() handler.
Vulnerability
An OS command injection vulnerability exists in the ssdpcgi() function in /htdocs/cgibin on D-Link DIR-859 Rev. Ax devices running firmware versions 1.05 and 1.06B01 Beta01 [1][2]. The M-SEARCH method used by the UPnP subsystem receives a urn: value for the service/device type. This value is checked using the strstr function but not sanitized, allowing shell metacharacters to be injected and arbitrary commands to be appended [1]. The issue lies in how the HTTP_ST environment variable is handled during this check [1].
Exploitation
The attacker needs only LAN-side network access to the device; no authentication is required [2]. By sending a specially crafted M-SEARCH packet via UPnP to the ssdpcgi URI, the attacker includes shell metacharacters (such as ; or |) in the urn: field to break out of the intended service name check and concatenate additional OS commands [1]. The vulnerable code path in ssdpcgi() is reachable without any prior session or credentials.
Impact
Successful exploitation yields remote code execution on the affected device as the root user, giving the attacker full control over the router [1]. This can be used to modify router configuration, exfiltrate network traffic, launch further attacks against internal hosts, or persist on the device [1][2].
Mitigation
D-Link has acknowledged this vulnerability and marked the affected devices as End of Support (EOS) / End of Life (EOL), meaning no firmware patches will be provided [2]. Users are advised to replace the device with a supported model. No software workaround exists, and the vendor recommends segregating affected devices from untrusted LAN segments until they can be retired [2].
References
[1] http://packetstormsecurity.com/files/156250/D-Link-ssdpcgi-Unauthenticated-Remote-Command-Execution.html [2] https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-859description
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- packetstormsecurity.com/files/156250/D-Link-ssdpcgi-Unauthenticated-Remote-Command-Execution.htmlmitrex_refsource_MISC
- medium.com/%40s1kr10s/d-link-dir-859-unauthenticated-rce-in-ssdpcgi-http-st-cve-2019-20215-en-2e799acb8a73mitrex_refsource_MISC
- supportannouncement.us.dlink.com/announcement/publication.aspxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.