CVE-2019-16920

CRITICAL KEV RANSOMWARE NUCLEI

D-Link DIR-655 Firmware < 3.02b05 - Unauthenticated Remote Code Execution via PingTest CGI

Title source: llm

Exploitation Summary

CVE-2019-16920 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including eniac888. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2019-16920, which targets unauthenticated remote code execution in multiple D-Link routers via command injection in the 'PingTest' CGI interface. The exploits demonstrate both single-target and mass exploitation capabilities.

Description

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

Exploits (1)

nomisec WORKING POC 1 stars

by eniac888 · remote

https://github.com/eniac888/CVE-2019-16920-MassPwn3r

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2019-16920, which targets unauthenticated remote code execution in multiple D-Link routers via command injection in the 'PingTest' CGI interface. The exploits demonstrate both single-target and mass exploitation capabilities.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: D-Link routers (DIR-655, DIR-866L, DIR-652, DHP-1565, etc.)

No auth needed

Prerequisites: Network access to the target device · Target device must have the vulnerable CGI interface exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

D-Link Routers - Remote Code Execution

CRITICALby dwisiswant0

References (5)

Core 5

Core References

Broken Link, Third Party Advisory x_refsource_misc

https://fortiguard.com/zeroday/FG-VD-19-117

Exploit, Third Party Advisory x_refsource_misc

https://www.seebug.org/vuldb/ssvid-98079

Exploit, Third Party Advisory x_refsource_misc

https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://www.kb.cert.org/vuls/id/766427

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16920

Scores

CVSS v3 9.8

EPSS 0.9434

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2020-09-16

InTheWild.io 2019-05-07

ENISA EUVD EUVD-2019-7414

Ransomware Use Confirmed

CWE

CWE-78

Status published

Products (10)

dlink/dap-1533_firmware

dlink/dhp-1565_firmware < 1.01

dlink/dir-615_firmware

dlink/dir-652_firmware

dlink/dir-655_firmware < 3.02b05

dlink/dir-825_firmware

dlink/dir-835_firmware

dlink/dir-855l_firmware

dlink/dir-862l_firmware

dlink/dir-866l_firmware < 1.03b04

Published Sep 27, 2019

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026