Support Announcements
DIR-859 Rev. Ax FW v1.06 & DIR-850L Rev. Ax :: FW v1.13 :: CVE-2019-17508 :: Unauthenticated Command Injection Security Vulnerability



On October 15, 2019, D-Link became aware of CVE-2019-17508 that accuses the DIR-859 Rev.Ax and DIR-850L Rev. Ax having an Unauthenticated Command Injection Security Vulnerability. D-Link has investigated the report, cofirms the issue, and has released patches to close the security vulnerabilitiy.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. 





CVE-2019-17508 : D-Link DIR-859 Ax v1.06 and DIR-850 Ax v1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable.



Affected Products


Currently, the following D-Link brand devices are affected and the following patches are available for upgrading:


Model HW Rev. Region Affected FW Fixed FW Current FW Recommendation Info Last Update
DIR-859 All Ax Revs
 US v1.06 & older v1.07b03_jbli v1.07b03_jbli Released
DIR-850L All Ax Revs
 US v1.13 & older v1.21WWb07 v1.21WWb07 Released


Security patch for your D-Link Devices

This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.


As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.