CISA has issued an urgent warning regarding a critical path traversal vulnerability affecting D-Link DIR-859 routers that is being actively exploited in the wild. 

The vulnerability, designated as CVE-2024-0769, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on June 25, 2025, with federal agencies required to implement remediation measures by July 16, 2025.

Summary
1. CVE-2024-0769 affects D-Link DIR-859 routers via path traversal in /hedwig.cgi, enabling unauthorized access.
2. CISA confirmed this vulnerability is being exploited in the wild as of June 25, 2025.
3. Affected routers are end-of-life with no security updates coming from D-Link.
4. Federal agencies have until July 16, 2025 to replace vulnerable devices.

Critical Path Traversal Flaw 

The identified vulnerability represents a significant security risk for organizations still operating legacy D-Link DIR-859 routers. 

This path traversal flaw, classified under Common Weakness Enumeration CWE-22, enables attackers to bypass normal file access restrictions and gain unauthorized access to sensitive system files. 

The vulnerability specifically targets the /hedwig.cgi component within the router’s HTTP POST Request Handler, creating a direct pathway for malicious actors to compromise the network infrastructure.

All hardware revisions of the affected D-Link DIR-859 model have reached their end-of-life (EOL) or end-of-service (EOS) lifecycle status, meaning they no longer receive security updates or vendor support. 

This EOL status significantly amplifies the security risk, as no patches will be developed to address this critical vulnerability. 

Organizations utilizing these devices face an immediate security exposure that can only be resolved through complete device replacement.

Technical analysis reveals that the attack vector involves manipulation of the service argument within HTTP POST requests to the vulnerable /hedwig.cgi endpoint. 

Attackers exploit this vulnerability by injecting the path traversal payload ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml into the service parameter. 

This specific input allows unauthorized access to configuration files containing sensitive session data, potentially enabling privilege escalation attacks.

The path traversal technique employs directory traversal sequences (../) to navigate outside the intended directory structure and access restricted system files. 

Once successful, attackers can extract session tokens, configuration parameters, and other sensitive information that facilitates complete device compromise. 

This unauthorized access potentially grants attackers administrative control over the affected router, enabling them to intercept network traffic, modify routing configurations, or establish persistent backdoors.

Risk FactorsDetailsAffected ProductsD-Link DIR-859 Router (all hardware revisions)ImpactPath traversal vulnerabilityExploit Prerequisites– HTTP POST request to /hedwig.cgi- Manipulation of service parameter- Payload: ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xmlCVSS 3.1 Score9.8 (Critical)

Mitigations

CISA’s inclusion of CVE-2024-0769 in the KEV catalog triggers mandatory compliance requirements under Binding Operational Directive (BOD) 22-01. 

Federal agencies must implement vendor-recommended mitigations or discontinue use of affected devices within the specified timeframe. 

Given the EOL status of DIR-859 routers, the primary remediation strategy involves complete device replacement with supported, actively maintained networking equipment.

Organizations in critical infrastructure sectors should prioritize immediate assessment of their network inventory to identify vulnerable D-Link DIR-859 devices. 

The active exploitation status of this vulnerability necessitates urgent action to prevent potential ransomware deployment, data exfiltration, or lateral movement within compromised networks.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now