Threats / D-Link / CVE-2016-20017
CVE-2016-20017
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
D-Link DSL-2750B Devices vulnerability
D-Link DSL-2750B devices are vulnerable to unauthenticated remote command injection via the login.cgi cli parameter, allowing arbitrary code execution without authentication.
Verdict
Today item — known-exploited.
An unauthenticated remote attacker can inject arbitrary commands through a web interface parameter on vulnerable D-Link DSL-2750B routers, achieving code execution with device privileges. Active exploitation in the wild is confirmed.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
85 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-01-08).
Probability (EPSS)
EPSS 0.6043 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: D-Link, DSL-2750B Devices. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-77 Command Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I identify the target device as a D-Link DSL-2750B router exposed on the network.
Business
The organization's network perimeter security depends on router integrity and access controls.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft a malicious HTTP request to login.cgi with injected shell commands in the cli parameter.
Business
The router becomes a compromised pivot point for lateral network movement and data interception.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary commands on the device without providing valid credentials.
Business
Attackers gain persistent control over network traffic, DNS resolution, and connected client communications.
4
Data at risk — exfiltration narrative 4
Attacker
I establish a foothold to monitor, modify, or redirect network traffic from all connected devices.
Business
Customer data, credentials, and communications flowing through the router are exposed to interception and theft.
5
Lights out — disruption & extortion narrative 5
Attacker
I maintain access and use the compromised router for botnet enrollment or further network reconnaissance.
Business
The organization faces regulatory liability, customer notification obligations, and reputational damage from infrastructure compromise.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05