CVE-2019-13373

CRITICAL

D-Link Central WiFiManager - SQL Injection via dbSQL Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13373. PoCs published by M3@ZionLab from DBAppSecurity, including Metasploit module auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in D-Link Central WiFiManager CWM(100) before v1.03R0100_BETA6. It allows unauthenticated SQL query execution, enabling retrieval of user credentials, device configurations, and other data, as well as adding or removing administrator users.

Description

An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.

Exploits (1)

metasploit WORKING POC
by M3@ZionLab from DBAppSecurity · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.rb

This Metasploit module exploits a SQL injection vulnerability in D-Link Central WiFiManager CWM(100) before v1.03R0100_BETA6. It allows unauthenticated SQL query execution, enabling retrieval of user credentials, device configurations, and other data, as well as adding or removing administrator users.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: D-Link Central WiFiManager CWM(100) before v1.03R0100_BETA6
No auth needed
Prerequisites: Network access to the target device · Exposed API endpoint at /Public/Conn.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.6882
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
dlink/central_wifimanager 1.03
Published Jul 06, 2019
Tracked Since Feb 18, 2026