D-Link won’t patch critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR. The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. With no patch available, affected users should upgrade their devices as soon as possible.
Source: https://threatpost.com/d-link-home-routers-unpatched/148941/