CVE-2019-16057
CVE-2019-16057 is a critical-severity vulnerability in Dlink Dns-320 Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-15). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 87% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-04-15)
- EU (EUVD) id: EUVD-2019-6920
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-04-15)
- Weakness: CWE-78
- Affected product: Dlink Dns-320 Firmware
- Published:
- Last modified:
Description
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
CVE-2019-16057: Remote Command Injection in D-Link DNS-320 login_mgr.cgi
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-16057 |
| Published | 2019-09-16 |
| Last Modified | 2026-06-17 |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-78: OS Command Injection |
| EPSS | 0.8721 (97.7th percentile) |
| CISA KEV | Yes (added 2022-04-15) |
| Source | NVD |
Summary
The login_mgr.cgi script in D-Link DNS-320 Network Attached Storage (NAS) firmware through version 2.05.B10 is vulnerable to remote command injection. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary operating-system commands with root privileges on the device.
Background
D-Link DNS-320 is a consumer-grade NAS device designed for home and small-office file sharing. The device exposes a web-based management interface that includes the login_mgr.cgi endpoint for authentication handling. In affected firmware versions, this endpoint does not adequately sanitize user-controlled input before passing it to shell-execution contexts, creating a direct path from the HTTP request to the underlying operating system.
Root Cause — CWE-78
This vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection).
The root cause is that login_mgr.cgi constructs operating-system commands using attacker-supplied input without proper input validation, escaping, or parameterization. When a request reaches the CGI script, the application logic treats portions of the HTTP parameters as literal shell tokens rather than as data, allowing metacharacters (such as command separators, backticks, and pipe operators) to alter the intended command flow and inject arbitrary instructions.
Impact
The CVSS v3 score of 9.8 (CRITICAL) reflects the severe, unauthenticated nature of this flaw:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable from any routable source without physical access |
| Attack Complexity | Low | No specialized conditions or advanced techniques needed |
| Privileges Required | None | Fully unauthenticated |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact remains within the vulnerable device |
| Confidentiality | High | Complete data exposure on the device |
| Integrity | High | Attacker can modify firmware, configuration, or stored files |
| Availability | High | Device can be bricked, rebooted, or rendered unavailable |
Exploitation Walkthrough (Defensive Context)
Ethics Caveat: The following walkthrough is provided for defensive awareness, detection tuning, and incident-response context only. It does not contain weaponized exploit code. Unauthorized access to systems you do not own or operate is illegal under most jurisdictions.
- Reconnaissance: An attacker identifies a D-Link DNS-320 device exposed to the internet or a local network segment (commonly via TCP ports 80/443 or passive service-discovery broadcasts).
- Parameter Analysis: The attacker sends HTTP requests to the
login_mgr.cgiendpoint and observes how query parameters or POST body fields are processed. - Injection Testing: By injecting shell metacharacters into login fields (for example, using semicolons, backticks, or pipe operators), the attacker observes anomalous response timing, error messages, or side effects indicating command execution.
- Command Confirmation: The attacker issues a benign command (such as a DNS lookup or time-delay) to confirm the injected command is executed by the underlying OS.
- Post-Exploitation Risk: With root shell access, the attacker can harvest stored credentials, exfiltrate files, install persistent firmware implants, pivot into the internal network, or use the device as a botnet node.
Affected and Patched Versions
| Status | Product / Firmware |
|---|---|
| Affected | D-Link DNS-320 firmware through 2.05.B10 |
| Patched | No patched version identified in available data. D-Link has formally ceased active support for this end-of-life product line. |
Because the DNS-320 is an older device, D-Link has not publicly released a firmware patch specifically for this CVE. Defenders should treat all DNS-320 units running firmware ≤ 2.05.B10 as permanently vulnerable.
Remediation
-
Immediate — Remove Exposure:
- Disconnect the device from the internet.
- If internal use is required, place it behind a firewall that restricts access to trusted management IP ranges only.
- Disable remote/cloud access features on the device if available.
-
Compensating Controls:
- Segment the NAS onto an isolated VLAN with no outbound internet access.
- Apply strict ingress rules on the management interface (TCP/80, TCP/443) so only designated admin hosts can reach it.
- Monitor proxy / IDS logs for requests to
login_mgr.cgicontaining shell metacharacters.
-
Long-Term — Replace the Device:
- Given the end-of-life status and lack of patches, the safest and most compliant remediation is to retire the DNS-320 and migrate data to a currently supported NAS platform with active security maintenance.
Detection
- Network Signatures: Monitor for inbound HTTP requests to
/login_mgr.cgiwith abnormal query parameters, especially those containing shell tokens (;,|,&&,`,$(),|bash, etc.). - Behavioral Telemetry: Unexpected DNS queries, outbound connections, or file-system activity from the NAS process context are strong indicators of successful exploitation.
- Log Analysis: If the device supports any form of request logging (or if traffic is captured at a reverse proxy / WAF), correlate
login_mgr.cgiaccess with anomalous response codes or payload sizes. - Vulnerability Scanning: Use authenticated or unauthenticated network scanners that include this CVE to confirm exposure during routine assessments.
Assessment
With an EPSS score of 0.8721 (placing it in the 97.7th percentile), this CVE is one of the most actively exploited weaknesses in the catalog. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) list since April 2022 confirms that threat actors routinely target internet-facing DNS-320 devices.
Key lessons:
- Legacy IoT/NAS devices must not face the internet. A consumer-grade device from 2010–2015 without ongoing patch support becomes a liability the moment it is exposed to a hostile network.
- Input validation is foundational. CWE-78 remains a top-ten recurring vulnerability class because developers continue to pass user input directly to shell execution primitives. Every parameter entering a system boundary must be treated as hostile until proven otherwise.
References
Frequently asked questions
- What is CVE-2019-16057?
- The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
- How severe is CVE-2019-16057?
- CVE-2019-16057 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-16057 being actively exploited?
- Yes. CVE-2019-16057 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-16057?
- CVE-2019-16057 affects Dlink Dns-320 Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-16057?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-16057 have an EU (EUVD) identifier?
- Yes. CVE-2019-16057 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-6920. It is also flagged as exploited in the EUVD (since 2022-04-15).
- When was CVE-2019-16057 published?
- CVE-2019-16057 was published on 2019-09-16 and last updated on 2026-06-17.
References
- https://blog.cystack.net/d-link-dns-320-rce/
- https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16057
Affected products (1)
- cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Dlink Dns-320 Firmware
- CVE-2024-3272 — Critical (CVSS 9.8): ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link…
- CVE-2020-25506 — Critical (CVSS 9.8): D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead…
- CVE-2026-5214 — High (CVSS 8.8): A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L,…
- CVE-2026-5213 — High (CVSS 8.8): A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L,…
- CVE-2026-5212 — High (CVSS 8.8): A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L,…
- CVE-2026-5211 — High (CVSS 8.8): A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323,…
All CVEs affecting Dlink Dns-320 Firmware →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…