CVE-2016-20017

CRITICAL KEV

D-Link DSL-2750B <1.05 - Command Injection

Title source: llm

Exploitation Summary

CVE-2016-20017 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 8, 2024. EIP tracks 2 public exploits from researchers including Metasploit, p@ql, including a Metasploit module exploits/linux/http/dlink_dsl2750b_exec_noauth.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in D-Link DSL-2750B devices via the 'cli' parameter in the 'login.cgi' endpoint. It uses a cmdstager to deliver a payload for remote code execution on vulnerable firmware versions (1.01 to 1.03).

Description

D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/44760

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in D-Link DSL-2750B devices via the 'cli' parameter in the 'login.cgi' endpoint. It uses a cmdstager to deliver a payload for remote code execution on vulnerable firmware versions (1.01 to 1.03).

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: D-Link DSL-2750B firmware 1.01 to 1.03

No auth needed

Prerequisites: Network access to the target device · Vulnerable firmware version (1.01 to 1.03)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by p@ql · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_dsl2750b_exec_noauth.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in D-Link DSL-2750B devices via the 'cli' parameter in the 'login.cgi' endpoint. It leverages the 'ayecli' binary to execute arbitrary commands without authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: D-Link DSL-2750B firmware versions 1.01 to 1.03

No auth needed

Prerequisites: Network access to the target device · Target device running vulnerable firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Mailing List, Third Party Advisory

https://seclists.org/fulldisclosure/2016/Feb/53

Patch, Vendor Advisory

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10088

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/44760

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-20017

Scores

CVSS v3 9.8

EPSS 0.9209

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-01-08

VulnCheck KEV 2018-06-15

InTheWild.io 2017-01-01

ENISA EUVD EUVD-2016-3105

CWE

CWE-77

Status published

Products (1)

dlink/dsl-2750b_firmware < 1.05

Published Oct 19, 2022

KEV Added Jan 08, 2024

Tracked Since Feb 18, 2026