CVE-2019-16190
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication on D-Link SharePort Web Access by directly accessing folder_view.php or category_view.php files. It affects D-Link DIR-868L, DIR-885L, and DIR-895L routers with vulnerable firmware versions. Attackers can access network shares and potentially sensitive files without credentials.
💻 Affected Systems
- D-Link DIR-868L REVB
- D-Link DIR-885L REVA
- D-Link DIR-895L REVA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network shares, exposure of sensitive files, lateral movement within network, and potential data exfiltration.
Likely Case
Unauthorized access to shared files and folders, potential exposure of sensitive documents or media files.
If Mitigated
Limited to accessing only non-sensitive shared files if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploitation requires only HTTP requests to specific PHP files. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after those listed in affected versions
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from D-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.
🔧 Temporary Workarounds
Disable SharePort Web Access
allTurn off the SharePort Web Access feature to prevent exploitation
Log into router admin interface -> USB Settings -> Disable SharePort Web Access
Block External Access
allConfigure firewall to block external access to router web interface
Configure firewall rules to block WAN access to router IP on ports 80/443
🧯 If You Can't Patch
- Disable SharePort Web Access feature immediately
- Implement network segmentation to isolate router from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[router-ip]/folder_view.php or http://[router-ip]/category_view.php without authentication. If accessible, device is vulnerable.Check Version:
Log into router admin interface and check firmware version in System Status or About sectionVerify Fix Applied:
After patching, attempt same access. Should receive authentication prompt or error. Check firmware version is above vulnerable versions.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to folder_view.php or category_view.php without preceding authentication logs
- Unusual file access patterns from external IPs
Network Indicators:
- HTTP GET requests to /folder_view.php or /category_view.php from external sources
- Unusual traffic to router web interface on standard ports
SIEM Query:
source_ip=external AND (url_path="/folder_view.php" OR url_path="/category_view.php") AND NOT (preceding_event="POST /login.php" OR preceding_event="authentication_success")