CVE-2024-0769: CWE-22 Path Traversal in D-Link DIR-859
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
AI Analysis
Technical Summary
CVE-2024-0769 is a path traversal vulnerability identified in the D-Link DIR-859 router firmware version 1.06B01. The vulnerability exists in the HTTP POST request handler component, specifically in the /hedwig.cgi endpoint. An attacker can manipulate the 'service' argument by injecting a path traversal payload such as '../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml', which allows unauthorized reading of arbitrary files on the device's filesystem. This occurs due to insufficient sanitization of user-supplied input, enabling traversal outside the intended directory scope. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3 (medium), reflecting the vulnerability's impact on confidentiality only, with no effect on integrity or availability. The vendor has confirmed that the DIR-859 product is end-of-life, and no patches are available. The exploit details have been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported. This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Potential Impact
For European organizations, the primary impact is unauthorized disclosure of sensitive configuration files or other data stored on the affected router. This could lead to exposure of network configuration details, potentially aiding further attacks such as network reconnaissance or targeted exploitation. Since the vulnerability does not affect integrity or availability, it does not directly enable device takeover or denial of service. However, the confidentiality breach could compromise network security posture. Organizations relying on the DIR-859 routers, especially in critical infrastructure or sensitive environments, face increased risk if these devices remain in use. The lack of vendor support and patches exacerbates the threat, as mitigation options are limited to device replacement or network segmentation. The public disclosure of the exploit code increases the likelihood of opportunistic attacks, particularly from less sophisticated threat actors.
Mitigation Recommendations
Given the product is end-of-life and no patches are available, the primary mitigation is to retire and replace all affected D-Link DIR-859 devices with supported models that receive security updates. Until replacement, organizations should implement strict network segmentation to isolate these routers from sensitive internal networks. Restrict management interface access to trusted IP addresses and disable remote management if enabled. Monitor network traffic for unusual HTTP POST requests targeting /hedwig.cgi or attempts to exploit path traversal patterns. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for path traversal attacks. Regularly audit router configurations and logs for signs of compromise. Educate network administrators about this vulnerability and ensure they follow best practices for device hardening. Finally, maintain an asset inventory to identify all affected devices to prioritize replacement efforts.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
CVE-2024-0769: CWE-22 Path Traversal in D-Link DIR-859
Description
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
AI-Powered Analysis
Technical Analysis
CVE-2024-0769 is a path traversal vulnerability identified in the D-Link DIR-859 router firmware version 1.06B01. The vulnerability exists in the HTTP POST request handler component, specifically in the /hedwig.cgi endpoint. An attacker can manipulate the 'service' argument by injecting a path traversal payload such as '../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml', which allows unauthorized reading of arbitrary files on the device's filesystem. This occurs due to insufficient sanitization of user-supplied input, enabling traversal outside the intended directory scope. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3 (medium), reflecting the vulnerability's impact on confidentiality only, with no effect on integrity or availability. The vendor has confirmed that the DIR-859 product is end-of-life, and no patches are available. The exploit details have been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported. This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Potential Impact
For European organizations, the primary impact is unauthorized disclosure of sensitive configuration files or other data stored on the affected router. This could lead to exposure of network configuration details, potentially aiding further attacks such as network reconnaissance or targeted exploitation. Since the vulnerability does not affect integrity or availability, it does not directly enable device takeover or denial of service. However, the confidentiality breach could compromise network security posture. Organizations relying on the DIR-859 routers, especially in critical infrastructure or sensitive environments, face increased risk if these devices remain in use. The lack of vendor support and patches exacerbates the threat, as mitigation options are limited to device replacement or network segmentation. The public disclosure of the exploit code increases the likelihood of opportunistic attacks, particularly from less sophisticated threat actors.
Mitigation Recommendations
Given the product is end-of-life and no patches are available, the primary mitigation is to retire and replace all affected D-Link DIR-859 devices with supported models that receive security updates. Until replacement, organizations should implement strict network segmentation to isolate these routers from sensitive internal networks. Restrict management interface access to trusted IP addresses and disable remote management if enabled. Monitor network traffic for unusual HTTP POST requests targeting /hedwig.cgi or attempts to exploit path traversal patterns. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for path traversal attacks. Regularly audit router configurations and logs for signs of compromise. Educate network administrators about this vulnerability and ensure they follow best practices for device hardening. Finally, maintain an asset inventory to identify all affected devices to prioritize replacement efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2024-01-20T15:12:52.576Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68f7d9b0247d717aace268a1
Added to database: 10/21/2025, 7:06:24 PM
Last enriched: 10/21/2025, 8:01:03 PM
Last updated: 10/30/2025, 2:29:20 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-62257: CWE-307 Improper Restriction of Excessive Authentication Attempts in Liferay Portal
MediumCVE-2025-9954: CWE-862 Missing Authorization in Drupal Acquia DAM
UnknownCVE-2025-12466: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Drupal Simple OAuth (OAuth2) & OpenID Connect
UnknownCVE-2025-12083: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal CivicTheme Design System
UnknownCVE-2025-12082: CWE-863 Incorrect Authorization in Drupal CivicTheme Design System
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.