Researchers at CyStack Security, based in Vietnam, discovered and reported the vulnerability in mid-August. About a month later the provider was released instructions about the vulnerability, but it turned out that the security flaw was actually fixed by mistake in April, when D-Link released its 2.06b01 version firmware, to address a vulnerability exploited by Cr1ptT0r ransomware to infect D-Link NAS devices.
The CVE-2019-16057 flaw has been rated CVSS 10 by CyStack. It affects D-Link DNS-320 devices with firmware version 2.05b10 and later.
CyStack's Nguyen Dang told SecurityWeek that vulnerability can be exploited directly by Internet and says there are at least 800 vulnerable devices that can crash victims attack by website. Nguyen noted that all D-Link DNS-320 devices were vulnerable to attacks before the problem was resolved in April.
The vulnerability has been described as a command injection issue that exists in the connection module for the DNS-320 management interface.
The affected section, /cgi/login_mgr.cgi, includes a parameter named "port" that can be affected. An unauthorized intruder can abuse this parameter to execute arbitrary permissions with permissions root, which allow him to take full control of a targeted device and the files stored on it.
CyStack published a blog post describing the vulnerability and how the researchers discovered its existence.