CVE-2024-0769

What is the D-Link DIR-859 Router?

The D-Link DIR-859 is a consumer-grade Wi-Fi router (AC1750 dual-band) that reached end-of-life (EOL) and end-of-service (EOS) status — meaning D-Link will not release security patches or provide support for any vulnerabilities discovered in the device. D-Link EOL routers remain widely deployed in homes and small businesses, often running for years without firmware updates. Because these devices sit at the network perimeter, providing NAT, Wi-Fi, and sometimes port-forwarding, vulnerabilities in their web management interfaces can expose internal networks to unauthenticated remote attackers.

Overview

CVE-2024-0769 is an unauthenticated path traversal vulnerability in the D-Link DIR-859 router's CGI handler (/hedwig.cgi). By manipulating the service argument in an HTTP POST request, an unauthenticated remote attacker can traverse outside the intended directory and read arbitrary configuration files — including XML files containing session data. The leaked session data can enable privilege escalation or unauthorized administrative control of the router. Since the DIR-859 is EOL, D-Link will not release a patch; the only remediation is retiring and replacing the device.

Affected Versions

Affected firmware versions include 1.37b03, 1.37 ETA, 1.35b03, and 1.35 ETA.

Technical Details

CWE-22 (Path Traversal). The /hedwig.cgi CGI script handles service configuration requests via HTTP POST. The service argument is incorporated into a file path that hedwig.cgi reads and returns — but the value is not validated or sanitized to prevent directory traversal sequences (../). An attacker can supply a service value such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml to read files outside the intended directory.

The files accessible via traversal include XML configuration files in the /htdocs/webinc/getcfg/ directory structure, which contain session tokens, device configuration data, and potentially administrative credentials. With leaked session tokens, an attacker can authenticate to the router's web management interface with administrative privileges, enabling full router configuration changes — including DNS hijacking, traffic interception, port forwarding modifications, and disabling of security features.

Discovery

The vulnerability was published in January 2024, with technical details showing the specific vulnerable argument and example traversal path. Active exploitation was not confirmed until CISA's KEV addition in June 2025 — 17 months after disclosure — indicating sustained exploitation in the wild against unpatched, EOL devices that remain deployed.

Exploitation Context

EOL D-Link routers are a recurring KEV category: attackers specifically target devices that will never receive patches because they can rely on a persistent, unremediable foothold for extended periods. The DIR-859's unauthenticated path traversal enables remote network access for botnet recruitment, DNS hijacking for credential theft, traffic interception, and use as pivot points for attacking other devices on the same network. The 17-month gap between CVE publication and KEV addition suggests the vulnerability was incorporated into automated attack tooling sometime in mid-2025 when exploitation became widespread enough for CISA to catalog it.

Remediation

1. Retire and replace the D-Link DIR-859 — D-Link will not issue a patch; this is the only supported resolution. Replace with a currently-supported router model.
2. If immediate replacement is not possible, as an interim measure: disable the router's web management interface access from the WAN (internet) side — many consumer routers can be configured to allow management only from the LAN.
3. Change the router's administrative password to a strong, unique value — the session token leak may allow bypass, but limiting credential reuse reduces the attack surface.
4. Monitor for signs of DNS hijacking: if devices on the network are experiencing unexpected redirects or SSL certificate warnings, the router may already be compromised.
5. After replacing the router, check downstream devices for malware — a compromised router may have been used to redirect traffic and conduct man-in-the-middle attacks on connected devices.