CVE-2019-13372 — AI Deep Analysis Summary

🚨 **Essence**: Remote Code Execution (RCE) via **Code Injection**. 📉 **Consequences**: Attackers can execute arbitrary PHP code, completely compromising the **D-Link Central WiFi Manager CWM-100**.…

🛡️ **Root Cause**: **CWE-94** (Code Injection). The file `/web/Lib/Action/IndexAction.class.php` fails to filter special elements in external input. Specifically, the **username cookie field** allows `eval` injection.

📦 **Affected**: **D-Link Central WiFi Manager CWM-100**. 📅 **Versions**: Before **v1.03R0100_BETA6**. 🏢 **Vendor**: D-Link (Taiwan).

💀 **Attacker Power**: Full **Remote Code Execution**. 📂 **Data Access**: Can read/modify any data on the server. 🔓 **Privileges**: Gains control over the web application and underlying OS via PHP execution.

⚠️ **Threshold**: **LOW**. 🚫 **Auth Bypass**: An **empty password** bypasses authentication entirely. 🍪 **Vector**: Exploitation happens via a crafted **Cookie** header. No complex setup needed.

🔓 **Public Exp?**: **YES**. 📜 **PoC**: Available via **Nuclei Templates** (ProjectDiscovery) and multiple security blogs (unh3x, PacketStorm). 🌍 **Wild Exploitation**: High risk due to simple cookie-based injection.

🔍 **Self-Check**: Scan for **D-Link CWM-100** devices. 🧪 **Test**: Send a cookie with `username` containing PHP code (e.g., `<?php phpinfo(); ?>`) and an **empty password**. Check for execution response.

🩹 **Official Fix**: **YES**. 📥 **Action**: Upgrade to version **v1.03R0100_BETA6** or later. 📢 **Source**: D-Link Security Advisory **SAP10117**.

🚧 **No Patch?**: **Mitigation**: Block external access to the management interface. 🛑 **Restrict**: Use firewall rules to allow only trusted IPs. 🧹 **Input**: If possible, sanitize cookie inputs (though upgrade is best).

🔥 **Urgency**: **CRITICAL**. 🚨 **Priority**: **P1**. The combination of **RCE**, **Auth Bypass**, and **Public PoC** makes this an immediate threat. Patch immediately!