CVE-2019-20216
Description
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DIR-859 routers with firmware up to 1.06B01 Beta01 allow unauthenticated LAN-based remote code execution through a shell metacharacter injection in the UPnP SSDP handler.
Vulnerability
The vulnerability resides in the ssdpcgi() function in /htdocs/cgibin on D-Link DIR-859 devices running firmware versions 1.05 and 1.06B01 Beta01 [1]. The handler improperly validates the urn: field received via the M-SEARCH method of the Simple Service Discovery Protocol (SSDP). Specifically, the value of urn:service/device is checked using strstr(), which is insufficient to prevent injection of arbitrary OS commands separated by shell metacharacters [description]. This allows an attacker to craft a malicious SSDP M-SEARCH request that includes command injection sequences in the urn: parameter.
Exploitation
An attacker must be on the local network (LAN-side) to send crafted SSDP multicast or unicast M-SEARCH requests to the vulnerable device [1]. No authentication is required. The attacker includes shell metacharacters (e.g., ; , | , && ) and arbitrary commands in the urn: field of the M-SEARCH request. When the device parses the request via ssdpcgi(), the unsanitized REMOTE_PORT (or related variable) containing the injected commands is processed, leading to command execution [description].
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands on the affected router with root privileges. This results in a full compromise of the device's operations, enabling data exfiltration, configuration alteration, denial of service, or use as a pivot point for further attacks on the internal network [1]. The impact is rated as critical, with command execution achieved without requiring user interaction.
Mitigation
D-Link has released patches for many affected models, but the advisory notes that some devices have reached End of Support (EOS) / End of Life (EOL) and will not receive fixes [1]. For the DIR-859 Rev. Ax, affected firmware versions 1.05 and 1.06B01 Beta01 should be upgraded to a patched version if available; the vendor's official support announcement references patches for certain listed models [1]. Users of devices not receiving updates should isolate the device from untrusted network segments, disable UPnP if not required, and consider replacing the device if it is critical and unsupported. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-859description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- medium.com/%40s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-en-6bca043500aemitrex_refsource_MISC
- medium.com/%40s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-es-e11ca6168d35mitrex_refsource_MISC
- supportannouncement.us.dlink.com/announcement/publication.aspxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.