CVE-2019-15656 – This vulnerability in D-Link DSL-2875AL and DSL... (How to Fix)

Q: What is the severity of CVE-2019-15656?

CVE-2019-15656 has a CVSS score of 7.5 (HIGH). This vulnerability in D-Link DSL-2875AL and DSL-2877AL routers allows attackers to retrieve administrator credentials via a simple crafted HTTP request to the web management interface. It affects users of these specific D-Link router models who have not applied security patches. The information disclosure occurs through exposed username_v and password_v variables in index.asp.

📋 TL;DR

This vulnerability in D-Link DSL-2875AL and DSL-2877AL routers allows attackers to retrieve administrator credentials via a simple crafted HTTP request to the web management interface. It affects users of these specific D-Link router models who have not applied security patches. The information disclosure occurs through exposed username_v and password_v variables in index.asp.

💻 Affected Systems

Products:

D-Link DSL-2875AL
D-Link DSL-2877AL

Versions: Through version 1.00.05

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default on these devices.

📦 What is this software?

Dsl 2875al Firmware by Dlink

View all CVEs affecting Dsl 2875al Firmware →

Dsl 2877al Firmware by Dlink

View all CVEs affecting Dsl 2877al Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to the router, enabling them to reconfigure network settings, intercept traffic, install malware, or use the device as part of a botnet.

🟠

Likely Case

Attackers obtain router admin credentials and use them to change DNS settings, redirect traffic, or monitor network activity.

🟢

If Mitigated

With proper network segmentation and firewall rules, the impact is limited to the router itself without compromising internal network resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit requires only a simple HTTP request to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.00.05

Vendor Advisory: https://www.dlink.com/en/security-bulletin

Restart Required: Yes

Instructions:

1. Log into D-Link support portal. 2. Download latest firmware for your specific model. 3. Access router web interface. 4. Navigate to Maintenance > Firmware Upgrade. 5. Upload and apply the new firmware. 6. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the web management interface

Restrict Management Interface Access

all

Configure firewall rules to only allow management access from trusted IP addresses

🧯 If You Can't Patch

Replace affected routers with updated models or different vendors
Implement network segmentation to isolate router management traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System > Status > Firmware Version

Check Version:

curl -s http://router-ip/status.asp | grep -i firmware

Verify Fix Applied:

Confirm firmware version is newer than 1.00.05 and test that accessing index.asp with crafted parameters no longer returns credentials

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to index.asp with crafted parameters
Multiple failed login attempts followed by successful login from new IP

Network Indicators:

HTTP requests to router IP on port 80/443 containing username_v or password_v parameters
Unusual outbound traffic from router

SIEM Query:

source="router_logs" AND (uri="*index.asp*" AND (param="*username_v*" OR param="*password_v*"))

📊 Metadata

CVE ID: CVE-2019-15656

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: March 19, 2020

Last Updated: November 21, 2024

🔗 References

https://www.dlink.com/en/security-bulletin Vendor Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26165 Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin Vendor Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26165 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-15656, you might also want to check these: