{"cve":{"cve_id":"CVE-2019-16920","is_kev":true,"kev_date_added":"2022-03-25","kev_vendor_project":"D-Link","kev_product":"Multiple Routers","kev_vulnerability_name":"D-Link Multiple Routers Command Injection Vulnerability","kev_short_description":"Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.","kev_required_action":"The impacted product is end-of-life and should be disconnected if still in use.","kev_due_date":"2022-04-15","kev_known_ransomware":false,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2019-16920","kev_cwes":["CWE-78"],"epss_score":0.99996,"epss_percentile":0.99988,"epss_as_of":"2026-06-23","description":"Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a \"PingTest\" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.","published_at":"2019-09-27T11:34:12Z","last_modified_at":null,"cvss_v3_score":9.8,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":true,"ssvc_technical_impact":"total","cwes":["CWE-78"],"nvd_references":["https://fortiguard.com/zeroday/FG-VD-19-117","https://www.seebug.org/vuldb/ssvid-98079","https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3","https://www.kb.cert.org/vuls/id/766427"],"vuln_status":null,"trending_score":0.6099928,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-29T02:30:27.550645Z"},"effective_severity":"CRITICAL","badges":["kev","poc","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[],"exploit_refs":[{"source":"nuclei","kind":"nuclei","url":"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-16920.yaml","title":"D-Link Routers - Remote Code Execution","author":"dwisiswant0","disclosed_at":null}],"news":[],"references":[{"url":"https://fortiguard.com/zeroday/FG-VD-19-117","source_type":"MISC","tags":[]},{"url":"https://www.seebug.org/vuldb/ssvid-98079","source_type":"MISC","tags":[]},{"url":"https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3","source_type":"MISC","tags":[]},{"url":"https://www.kb.cert.org/vuls/id/766427","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2019-09-27T11:34:12Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2022-03-25T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"poc_available","at":"2026-06-24T00:29:48.638073Z","label":"Public PoC available","source":"nuclei"},{"type":"ssvc_changed","at":"2026-06-24T00:31:19.303295Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:19.303295Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:19.303295Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:19.303295Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:19.303295Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:19.303295Z","label":"CVSS score revised","source":"vulnrichment"}]}