CVE-2019-20217
Description
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DIR-859 routers allow unauthenticated remote command execution via crafted UPnP M-SEARCH requests due to improper handling of SERVER_ID in ssdpcgi().
Vulnerability
The vulnerability resides in the ssdpcgi() function within /htdocs/cgibin on D-Link DIR-859 routers running firmware versions 1.05 and 1.06B01 Beta01. The function mishandles the SERVER_ID value extracted from UPnP M-SEARCH requests. Specifically, it uses the strstr function to check for the presence of a urn: string, but fails to sanitize the input, allowing an attacker to inject arbitrary shell metacharacters [1].
Exploitation
An attacker sends a crafted M-SEARCH request to the device's UPnP service on the LAN side. The request must include a urn: value containing shell metacharacters (such as ;, |, &) followed by arbitrary OS commands. No authentication is required, and the attacker only needs network access to the device's LAN interface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands on the device with root privileges. This can lead to full compromise of the router, including data exfiltration, further network attacks, or denial of service [1].
Mitigation
D-Link has released patches for some affected models; for the DIR-859, users should upgrade to the latest firmware available on the D-Link support website. The advisory lists firmware versions for many devices, but notes that several models have reached End of Life (EOL) and may not receive fixes [1]. If no patched firmware is available, users should disable UPnP on the device or restrict LAN access to trusted devices.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-859description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- medium.com/%40s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-en-6bca043500aemitrex_refsource_MISC
- medium.com/%40s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-es-e11ca6168d35mitrex_refsource_MISC
- supportannouncement.us.dlink.com/announcement/publication.aspxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.