CVE-2019-16057

CVE-2019-16057 is a critical-severity vulnerability in Dlink Dns-320 Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-15). The underlying weakness is classified as CWE-78.

Key facts

Description

The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.

CVE-2019-16057: Remote Command Injection in D-Link DNS-320 login_mgr.cgi

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-16057
Published 2019-09-16
Last Modified 2026-06-17
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-78: OS Command Injection
EPSS 0.8721 (97.7th percentile)
CISA KEV Yes (added 2022-04-15)
Source NVD

Summary

The login_mgr.cgi script in D-Link DNS-320 Network Attached Storage (NAS) firmware through version 2.05.B10 is vulnerable to remote command injection. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary operating-system commands with root privileges on the device.

Background

D-Link DNS-320 is a consumer-grade NAS device designed for home and small-office file sharing. The device exposes a web-based management interface that includes the login_mgr.cgi endpoint for authentication handling. In affected firmware versions, this endpoint does not adequately sanitize user-controlled input before passing it to shell-execution contexts, creating a direct path from the HTTP request to the underlying operating system.

Root Cause — CWE-78

This vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection).

The root cause is that login_mgr.cgi constructs operating-system commands using attacker-supplied input without proper input validation, escaping, or parameterization. When a request reaches the CGI script, the application logic treats portions of the HTTP parameters as literal shell tokens rather than as data, allowing metacharacters (such as command separators, backticks, and pipe operators) to alter the intended command flow and inject arbitrary instructions.

Impact

The CVSS v3 score of 9.8 (CRITICAL) reflects the severe, unauthenticated nature of this flaw:

Metric Value Implication
Attack Vector Network Exploitable from any routable source without physical access
Attack Complexity Low No specialized conditions or advanced techniques needed
Privileges Required None Fully unauthenticated
User Interaction None No victim action required
Scope Unchanged Impact remains within the vulnerable device
Confidentiality High Complete data exposure on the device
Integrity High Attacker can modify firmware, configuration, or stored files
Availability High Device can be bricked, rebooted, or rendered unavailable

Exploitation Walkthrough (Defensive Context)

Ethics Caveat: The following walkthrough is provided for defensive awareness, detection tuning, and incident-response context only. It does not contain weaponized exploit code. Unauthorized access to systems you do not own or operate is illegal under most jurisdictions.

  1. Reconnaissance: An attacker identifies a D-Link DNS-320 device exposed to the internet or a local network segment (commonly via TCP ports 80/443 or passive service-discovery broadcasts).
  2. Parameter Analysis: The attacker sends HTTP requests to the login_mgr.cgi endpoint and observes how query parameters or POST body fields are processed.
  3. Injection Testing: By injecting shell metacharacters into login fields (for example, using semicolons, backticks, or pipe operators), the attacker observes anomalous response timing, error messages, or side effects indicating command execution.
  4. Command Confirmation: The attacker issues a benign command (such as a DNS lookup or time-delay) to confirm the injected command is executed by the underlying OS.
  5. Post-Exploitation Risk: With root shell access, the attacker can harvest stored credentials, exfiltrate files, install persistent firmware implants, pivot into the internal network, or use the device as a botnet node.

Affected and Patched Versions

Status Product / Firmware
Affected D-Link DNS-320 firmware through 2.05.B10
Patched No patched version identified in available data. D-Link has formally ceased active support for this end-of-life product line.

Because the DNS-320 is an older device, D-Link has not publicly released a firmware patch specifically for this CVE. Defenders should treat all DNS-320 units running firmware ≤ 2.05.B10 as permanently vulnerable.

Remediation

  1. Immediate — Remove Exposure:

    • Disconnect the device from the internet.
    • If internal use is required, place it behind a firewall that restricts access to trusted management IP ranges only.
    • Disable remote/cloud access features on the device if available.
  2. Compensating Controls:

    • Segment the NAS onto an isolated VLAN with no outbound internet access.
    • Apply strict ingress rules on the management interface (TCP/80, TCP/443) so only designated admin hosts can reach it.
    • Monitor proxy / IDS logs for requests to login_mgr.cgi containing shell metacharacters.
  3. Long-Term — Replace the Device:

    • Given the end-of-life status and lack of patches, the safest and most compliant remediation is to retire the DNS-320 and migrate data to a currently supported NAS platform with active security maintenance.

Detection

  • Network Signatures: Monitor for inbound HTTP requests to /login_mgr.cgi with abnormal query parameters, especially those containing shell tokens (;, |, &&, `, $(), |bash, etc.).
  • Behavioral Telemetry: Unexpected DNS queries, outbound connections, or file-system activity from the NAS process context are strong indicators of successful exploitation.
  • Log Analysis: If the device supports any form of request logging (or if traffic is captured at a reverse proxy / WAF), correlate login_mgr.cgi access with anomalous response codes or payload sizes.
  • Vulnerability Scanning: Use authenticated or unauthenticated network scanners that include this CVE to confirm exposure during routine assessments.

Assessment

With an EPSS score of 0.8721 (placing it in the 97.7th percentile), this CVE is one of the most actively exploited weaknesses in the catalog. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) list since April 2022 confirms that threat actors routinely target internet-facing DNS-320 devices.

Key lessons:

  1. Legacy IoT/NAS devices must not face the internet. A consumer-grade device from 2010–2015 without ongoing patch support becomes a liability the moment it is exposed to a hostile network.
  2. Input validation is foundational. CWE-78 remains a top-ten recurring vulnerability class because developers continue to pass user input directly to shell execution primitives. Every parameter entering a system boundary must be treated as hostile until proven otherwise.

References

Frequently asked questions

What is CVE-2019-16057?
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
How severe is CVE-2019-16057?
CVE-2019-16057 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-16057 being actively exploited?
Yes. CVE-2019-16057 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-16057?
CVE-2019-16057 affects Dlink Dns-320 Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-16057?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-16057 have an EU (EUVD) identifier?
Yes. CVE-2019-16057 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-6920. It is also flagged as exploited in the EUVD (since 2022-04-15).
When was CVE-2019-16057 published?
CVE-2019-16057 was published on 2019-09-16 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Dlink Dns-320 Firmware

All CVEs affecting Dlink Dns-320 Firmware →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →