CVE-2019-17621

CRITICAL KEV

D-Link DIR-859 Firmware < 1.05b03 - Unauthenticated Remote Code Execution via UPnP gena.cgi

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-17621 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 29, 2023. EIP tracks 2 public exploits from researchers including Squirre17, Miguel Mendez Z., @s1kr10s, Pablo Pollanco P., including a Metasploit module exploits/linux/upnp/dlink_dir859_subscribe_exec.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2019-17621, an unauthenticated RCE vulnerability in D-Link devices. The exploit sends a crafted SUBSCRIBE request to the UPnP service to execute arbitrary commands, specifically spawning a telnetd service on port 9999.

Description

The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network.

Exploits (2)

nomisec WORKING POC 3 stars
by Squirre17 · remote
https://github.com/Squirre17/CVE-2019-17621

This repository contains a functional Python exploit for CVE-2019-17621, an unauthenticated RCE vulnerability in D-Link devices. The exploit sends a crafted SUBSCRIBE request to the UPnP service to execute arbitrary commands, specifically spawning a telnetd service on port 9999.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link devices (specific models not specified)
No auth needed
Prerequisites: Network access to the target device · UPnP service exposed on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Miguel Mendez Z., @s1kr10s, Pablo Pollanco P. · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb

This Metasploit module exploits an unauthenticated OS command injection vulnerability in D-Link DIR-859 routers via the UPnP interface. It leverages the /gena.cgi endpoint to execute arbitrary commands without credentials.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DIR-859 Router
No auth needed
Prerequisites: Network access to the vulnerable router · UPnP interface exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
Vendor Advisory x_refsource_misc
https://www.dlink.com/en/security-bulletin

Scores

CVSS v3 9.8
EPSS 0.8962
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-06-29
VulnCheck KEV 2023-06-22
InTheWild.io 2023-06-29
ENISA EUVD EUVD-2019-7939
CWE
CWE-78
Status published
Products (19)
dlink/dir-818lx_firmware
dlink/dir-822_firmware < 2.03b01
dlink/dir-823_firmware 1.00b06 beta
dlink/dir-823_firmware < 1.00b06
dlink/dir-859_firmware 1.06b01 beta1
dlink/dir-859_firmware < 1.05b03
dlink/dir-865l_firmware < 1.07b01
dlink/dir-868l_firmware < 1.12b04
dlink/dir-869_firmware 1.03b02 beta02
dlink/dir-869_firmware < 1.03b02
... and 9 more
Published Dec 30, 2019
KEV Added Jun 29, 2023
Tracked Since Feb 18, 2026