CVE-2019-13372
CRITICAL EXPLOITED IN THE WILD NUCLEIDlink Central Wifimanager < 1.03 - Code Injection
Title source: ruleDescription
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
by M3@ZionLab from DBAppSecurity · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb
Nuclei Templates (1)
D-Link Central WiFi Manager CWM(100) - Remote Code Execution
CRITICALVERIFIEDby DhiyaneshDK
Shodan:
html:"D-Link Central WiFiManager"
References (4)
Scores
CVSS v3
9.8
EPSS
0.9291
EPSS Percentile
99.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2021-04-12
InTheWild.io
2021-04-12
CWE
CWE-287
CWE-94
Status
published
Products (1)
dlink/central_wifimanager
< 1.03
Published
Jul 06, 2019
Tracked Since
Feb 18, 2026