CVE-2019-17621

Q: What is the severity of CVE-2019-17621?

CVE-2019-17621 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary system commands with root privileges on D-Link DIR-859 routers by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service. Attackers can gain complete control of affected routers when connected to the local network. Users of D-Link DIR-859 routers with vulnerable firmware versions are affected.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary system commands with root privileges on D-Link DIR-859 routers by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service. Attackers can gain complete control of affected routers when connected to the local network. Users of D-Link DIR-859 routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

D-Link DIR-859 Wi-Fi Router

Versions: 1.05 and 1.06B01 Beta01

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default UPnP configuration, no special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with root access, allowing attackers to intercept all network traffic, install persistent malware, pivot to internal network devices, or use router as botnet node.

🟠

Likely Case

Router takeover leading to credential theft, DNS hijacking, man-in-the-middle attacks, and network surveillance.

🟢

If Mitigated

Limited impact if router is isolated from critical systems and network segmentation prevents lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires local network access but is trivial to execute with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.06B02 or later

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Firmware Update section. 3. Download latest firmware from D-Link support site. 4. Upload and install firmware update. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable UPnP Service

all

Turn off Universal Plug and Play service to prevent exploitation via the vulnerable endpoint.

Login to router admin panel → Advanced → UPnP → Disable

Network Segmentation

all

Isolate router management interface from user network segments.

Configure VLANs to separate management traffic from user traffic

🧯 If You Can't Patch

Replace router with supported model that receives security updates
Implement strict network access controls to limit who can reach router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.05 or 1.06B01 Beta01, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page.

Verify Fix Applied:

Verify firmware version is 1.06B02 or later after update.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /gena.cgi with SUBSCRIBE method
Unusual process execution from web service
Failed authentication attempts to router admin

Network Indicators:

HTTP SUBSCRIBE requests to router IP on port 80/443
Unusual outbound connections from router
DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND (uri="/gena.cgi" OR method="SUBSCRIBE")

📊 Metadata

CVE ID: CVE-2019-17621

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 30, 2019

Last Updated: November 7, 2025

🔗 References

http://packetstormsecurity.com/files/156054/D-Link-DIR-859-Unauthenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://medium.com/%40s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104 Exploit,Third Party Advisory
https://medium.com/%40s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-es-fad716629ff9 Broken Link
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146 Patch,Vendor Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147 Patch,Vendor Advisory
https://www.dlink.com/en/security-bulletin Vendor Advisory
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf Third Party Advisory,US Government Resource
http://packetstormsecurity.com/files/156054/D-Link-DIR-859-Unauthenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://medium.com/%40s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104 Exploit,Third Party Advisory
https://medium.com/%40s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-es-fad716629ff9 Broken Link
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146 Patch,Vendor Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147 Patch,Vendor Advisory
https://www.dlink.com/en/security-bulletin Vendor Advisory
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf Third Party Advisory,US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-17621 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dir 818lx Firmware by Dlink

Dir 822\+ Firmware by Dlink

Dir 822\+ Firmware by Dlink

Dir 823 Firmware by Dlink

Dir 823 Firmware by Dlink

Dir 859 Firmware by Dlink

Dir 859 Firmware by Dlink

Dir 865l Firmware by Dlink

Dir 868l Firmware by Dlink