CVE-2024-0769 is a critical unauthenticated path traversal vulnerability (CVSS up to 9.8) in the end-of-life (EoL) D-Link DIR-859 router. It allows remote attackers to access sensitive files—such as configuration XMLs containing credentials—via the /hedwig.cgi CGI interface. It has been actively exploited (e.g., by GreyNoise) and public PoCs exist.
| Date | 2025-06-26 12:31:26 |
Technical Summary
By sending a specially crafted XML POST request to /hedwig.cgi and setting the service parameter to a path such as ../../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml, attackers can download critical router files (credentials, ACLs, NAT settings). These files are exposed without any authentication, allowing for immediate information disclosure and enabling privilege escalation or full device compromise.
Recommendations
Replace the device: The DIR-859 model reached end-of-life in December 2020, so no patches are available. Upgrade to a supported and secure router model.
Isolate the router: Until replacement, block all WAN/Public Zone access to its web interface; restrict admin access to a secure management network only.
Monitor the network for exploit traffic: Enable alerts for POST requests directed at
/hedwig.cgithat contain directory traversal patterns (../../..) in web logs and IDS systems.Secure and verify modified settings: After replacement, change all passwords, rebuild ACLs, and audit the network to ensure no malicious configurations remain.
[Callforaction-THREAT-Footer]
