Threats / D-Link / CVE-2019-17621
CVE-2019-17621
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
D-Link DIR-859 Router vulnerability
D-Link DIR-859 routers contain an unauthenticated command execution vulnerability in the UPnP service endpoint that allows remote attackers to execute arbitrary system commands with root privileges via crafted HTTP SUBSCRIBE requests.
Verdict
Today item — known-exploited.
An unauthenticated attacker on the local network can exploit this OS command injection flaw to gain complete control of the router, potentially compromising all connected devices and network traffic.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
55 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-06-29).
Probability (EPSS)
EPSS 0.89624 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: D-Link, DIR-859 Router. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-78 OS Command Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious HTTP SUBSCRIBE request targeting the /gena.cgi UPnP endpoint with injected shell commands.
Business
The router becomes fully compromised, enabling the attacker to pivot to internal network resources and intercept sensitive communications.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I execute commands as root to establish persistent backdoor access and modify router firmware or configuration.
Business
The organization loses control of network perimeter security and faces potential data exfiltration or lateral movement into critical systems.
3
Lateral reach — past segmentation narrative 3
Attacker
I redirect traffic, perform DNS spoofing, or deploy malware distribution infrastructure through the compromised router.
Business
Customer trust erodes as connected devices become infected; regulatory compliance violations and incident response costs accumulate.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05