D-Link DIR-859 Router Path Traversal Vulnerability (CVE-2024-0769)

D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Published Jan 21, 2024 · Updated May 17, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve partial data exposure. Federal agencies are required to remediate by 2025-07-16 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Path Traversal (CWE-22) vulnerability in D-Link DIR-859 Router. ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running dir-859 firmware: 1.06

Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://github.com/c2dc/cve-reported/blob/main/CVE-2024-0769/CVE-2024-0769.md

How to patch

Manual remediation steps

Identify affected hosts: query inventory for general installs in scope.

Apply the vendor security update referenced in CVE-2024-0769's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.

Verify the fix per the vendor's published verification steps.

Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-0769 ↗ MSRC Advisory ↗ NVD ↗ Vendor Advisory