Auth bypass in Dlink Dir-816
CVE-2019-7642
D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmwa…
Vulnerability class: Broken Authentication
EPSS: 0.026 (83.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
- Dlink Dir-816 — versions b1
- Dlink Dir-816_firmware — versions 2.06
- Dlink Dir-816l — versions b1
- Dlink Dir-816l_firmware — versions 2.06
- Dlink Dir-817lw — versions a1
- Dlink Dir-817lw_firmware — versions 1.04
- Dlink Dir-850l — versions a1
- Dlink Dir-850l_firmware — versions 1.09
- Dlink Dir-868l — versions a1
- Dlink Dir-868l_firmware — versions 1.10
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2019-7642?
- CVE-2019-7642 is a high-severity vulnerability in Dlink Dir-816, classified under Missing Authentication for Critical Function. CVSS score: 7.5/10. Published 2019-03-25.
- How severe is CVE-2019-7642?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2019-7642 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.