CVE-2019-20499

HIGH

D-Link DWL-2600AP < 4.2.0.15 - Authenticated OS Command Injection via Config Restore

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-20499. PoCs published by Metasploit, Raki Ben Hamouda, RAKI BEN HAMOUDA, Nick Starke, including Metasploit module exploits/linux/http/dlink_dwl_2600_command_injection.

AI-analyzed exploit summary This Metasploit module exploits an authenticated command injection vulnerability in D-Link DWL-2600 access points by injecting commands into the 'configServerip' parameter of a POST request to 'admin.cgi'. It supports both direct command execution and staged payloads for MIPSLE Linux targets.

Description

D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/48274

This Metasploit module exploits an authenticated command injection vulnerability in D-Link DWL-2600 access points by injecting commands into the 'configServerip' parameter of a POST request to 'admin.cgi'. It supports both direct command execution and staged payloads for MIPSLE Linux targets.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DWL-2600AP (firmware versions with CVE-2019-20499)
Auth required
Prerequisites: Network access to the target device · Valid credentials (default: admin/admin)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Raki Ben Hamouda · textwebappshardware
https://www.exploit-db.com/exploits/46841

The exploit demonstrates an authenticated OS command injection vulnerability in D-Link DWL-2600AP via the `configRestore`, `configServerip`, `configBackup`, `downloadServerip`, `firmwareRestore`, and `firmwareServerip` parameters. Commands are injected into TFTP-related form fields, allowing arbitrary command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: D-Link DWL-2600AP (Firmware 4.2.0.15, Hardware A1)
Auth required
Prerequisites: Authenticated access to the web interface · Valid session cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by RAKI BEN HAMOUDA, Nick Starke · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_dwl_2600_command_injection.rb

This Metasploit module exploits an authenticated OS command injection vulnerability in D-Link DWL-2600 access points. It leverages default credentials (admin/admin) to authenticate and inject commands via a crafted POST request to the admin.cgi endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: D-Link DWL-2600 Access Point
Auth required
Prerequisites: Network access to the target device · Valid credentials (default: admin/admin)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46841

Scores

CVSS v3 7.8
EPSS 0.8885
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
dlink/dwl-2600ap_firmware < 4.2.0.15
Published Mar 05, 2020
Tracked Since Feb 18, 2026