Pierluigi Paganini June 26, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
• CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
• CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

The vulnerability CVE-2024-0769 is a path traversal issue that can lead to information disclosure. Threat actors are exploiting the flaw to collect account information, including user passwords, from the vulnerable D-Link DIR-859 WiFi routers.

The vendor states that the DIR-859 family of routers has reached their End of Life (“EOL”)/End of Service Life (“EOS”) life-cycle, and for this reason, the flaw will likely not be addressed.

In July 2024, researchers from cybersecurity firm GreyNoise spotted exploitation attempts for the critical vulnerability CVE-2024-0769 (CVSS score 9.8) impacting all D-Link DIR-859 WiFi routers.

GreyNoise observed hackers targeting the ‘DEVICE.ACCOUNT.xml’ file to extract all account names, passwords, user groups, and user descriptions on the device. The attackers use a modified version of the public exploit.

“GreyNoise observed a slight variation in-the-wild which leverages the vulnerability to render a different PHP file to dump account names, passwords, groups, and descriptions for all users of the device. At the time of writing we are not aware of the motivations to disclose/collect this information and are actively monitoring it” reads the analysis published by GreyNoise.

“In the variation as observed by GreyNoise DEVICE.ACCOUNT.xml is utilized. We went ahead and retrieved this file in full. While the exploit conditions are the same as the public PoC, the variation as observed by GreyNoise is dumping all name, password, group, and description for all users of the device.”

The hackers are exploiting the flaw by sending a malicious POST request to ‘/hedwig.cgi,’ to access sensitive configuration files (‘getcfg’) via the ‘fatlady.php’ file, potentially leasing to the exposure of the user credentials.

Once the attackers have obtained the credentials, they can potentially take full control of the device.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by July 16, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)