Lyrie
cisa-kev
ACTIVELY EXPLOITED3 sources verified·4 min read
By Lyrie Threat Intelligence·6/25/2025

What happened

CISA added CVE-2024-0769 to the Known Exploited Vulnerabilities catalog, signaling active exploitation and setting a remediation due date of 2025-07-16 CISA KEV. The issue affects D-Link DIR-859 routers and is tracked as a path traversal in the router’s web interface NVD entry. The vulnerable component is /hedwig.cgi, where an HTTP POST with a crafted service parameter can traverse directories and expose configuration data NVD entry.

CISA’s entry states the attacker-controlled service argument can point to ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, leaking session data that can enable privilege escalation and unauthorized device control CISA KEV. All hardware revisions are end-of-life/end-of-service (EOL/EOS), and the vendor instructs retirement and replacement of affected units CISA KEV. The vulnerability is cataloged as CWE-22 (path traversal) in the NVD record for this CVE NVD entry.

Why it matters

Inclusion in the KEV list means exploitation is observed in the wild and federal agencies are mandated to remediate on a deadline CISA KEV. A path traversal that exposes live session or configuration data on a router can translate into privilege escalation and full device control, per the CISA summary CISA KEV. Once an attacker controls the router, the network device itself becomes untrustworthy; CISA flags this risk directly via the unauthorized control outcome noted in the entry CISA KEV.

The affected model is explicitly a legacy product line, and all revisions have reached EOL/EOS, which means mitigations may be unavailable and systems should be retired and replaced per the vendor guidance referenced by CISA CISA KEV. This combination—active exploitation, device-level control, and no vendor support—elevates operational risk for any environment still running the DIR-859 NVD entry.

Technical detail

The flaw is a directory traversal (CWE-22) in the HTTP POST request handling of /hedwig.cgi, where the service parameter is not properly constrained, allowing a relative path to target internal config files NVD entry. CISA notes that sending service=../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml can disclose session data, which then enables privilege escalation and unauthorized device control CISA KEV. The issue is explicitly described in the CISA entry for CVE-2024-0769 and mapped to a path traversal weakness category by NVD NVD entry.

The MITRE CVE record corroborates identification and tracking of CVE-2024-0769, providing a canonical reference for the vulnerability’s assignment and metadata MITRE CVE. The core exploitation path remains: craft an HTTP POST to /hedwig.cgi with a traversal sequence in service that resolves to sensitive XML under htdocs/webinc/getcfg/, resulting in credential/session leakage NVD entry. Because the target devices are legacy and unsupported, CISA’s guidance focuses on retirement over patching CISA KEV.

Defense

CISA’s required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable CISA KEV. For federal agencies, the due date to remediate or remove is 2025-07-16, per the KEV catalog entry for CVE-2024-0769 CISA KEV. Given CISA’s EOL/EOS note, the operationally correct move is to retire and replace any DIR-859 still present in inventories CISA KEV.

Detection and response tips that align with the published exploit path:

  • Hunt for HTTP POST requests to /hedwig.cgi carrying a service parameter containing traversal sequences like ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml NVD entry.
  • Flag responses that return XML configs from htdocs/webinc/getcfg/ when such access should never be user-initiated, as per the data exposure described by CISA CISA KEV.
  • Treat any evidence of this access as potential credential/session compromise and escalate per incident response plans while accelerating retirement CISA KEV.

Asset owners should reconcile inventories against the affected model (D-Link DIR-859) and decommission on sight rather than defer, leveraging the KEV designation to prioritize action NVD entry. For record parity and downstream tooling, ensure CVE-2024-0769 is tracked in ticketing with references to both NVD and CISA for authoritative context MITRE CVE.

Lyrie Verdict

Operationalize this KEV entry into an autonomous rule: detect and auto-quarantine upon any POST to /hedwig.cgi where service includes ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, as documented for CVE-2024-0769 NVD entry. Because devices are EOL/EOS and exploitation is confirmed by inclusion in KEV, machine-speed enforcement should sever the router from production and force replacement rather than attempt remediation CISA KEV. Tie the detector to the CVE ID and weakness class (CWE-22) to ensure durable coverage across similar traversal patterns observed in router management planes NVD entry.

Lyrie Verdict

Operationalize this KEV entry into an autonomous rule: detect and auto-quarantine upon any POST to `/hedwig.cgi` where `service` includes `../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml`, as documented for CVE-2024-0769 (NVD). Because devices are EOL/EOS and exploitation is confirmed by inclusion in KEV, machine-speed enforcement should sever the router from production and force replacement rather than attempt remediation (CISA). Tie the detector to the CVE ID and weakness class (CWE-22) to ensure durable coverage across similar traversal patterns observed in router management planes (NVD).

#d-link#dir-859-router#cisa-kev#exploited-itw#CISA KEV#CVE-2024-0769#D-Link#DIR-859#Path Traversal#CWE-22

Validated sources

  1. [1]CISA Known Exploited Vulnerabilities Catalog
  2. [2]NVD entry
  3. [3]MITRE CVE record