PatchSiren cyber security CVE debrief

CVE-2016-10184 Dlink CVE debrief

CVE-2016-10184 is a high-severity path traversal issue in the D-Link DWR-932B router. According to NVD, the qmiweb component allows file reading using ..%2f traversal, which can expose local files over the network. NVD classifies the weakness as CWE-22 and rates it CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating remote exploitation without privileges or user interaction and a confidentiality impact.

Vendor: Dlink
Product: CVE-2016-10184
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-30
Original CVE updated: 2026-05-13
Advisory published: 2017-01-30
Advisory updated: 2026-05-13

Who should care

Operators, administrators, and security teams responsible for D-Link DWR-932B devices, especially firmware identified by NVD as dwr-932b_firmware 02.02eu revb. Internet-exposed routers and environments that rely on this model for remote access or edge connectivity should treat this as a priority issue.

Technical summary

NVD lists CVE-2016-10184 as a CWE-22 path traversal vulnerability affecting D-Link DWR-932B firmware 02.02eu revb. The issue is described as qmiweb allowing file reading via ..%2f traversal. The published CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates the attack is network-reachable, low-complexity, requires no authentication, and can lead to high confidentiality impact.

Defensive priority

High. The vulnerability is remotely reachable and requires no privileges or user interaction, so exposed devices should be reviewed promptly. Treat any internet-facing or otherwise accessible DWR-932B deployment as urgent to assess and contain.

Recommended defensive actions

Inventory D-Link DWR-932B devices and confirm whether the affected firmware family listed by NVD (02.02eu revb) is present.
Restrict network exposure immediately; remove direct internet access and limit management interfaces to trusted administrative networks.
Apply any vendor-provided firmware update or mitigation for the affected model if available through D-Link support channels.
If no fix is available, isolate, replace, or decommission affected devices in high-risk environments.
Review logs and access patterns for signs of unexpected file access attempts against the router management interface.
Validate that backup, configuration, and credential files stored on affected devices are protected or migrated off-device where possible.

Evidence notes

This debrief is based on the NVD record for CVE-2016-10184 and its cited references. NVD identifies the weakness as CWE-22, the vulnerable CPE as cpe:2.3:o:dlink:dwr-932b_firmware:02.02eu:revb:*:*:*:*:*:*, and the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The source references include a SecurityFocus BID entry and a technical advisory by Pierre Kim dated 2016-09-28, which describes the D-Link DWR-932B vulnerabilities referenced by NVD.

Official resources

CVE-2016-10184 CVE record
CVE.org
CVE-2016-10184 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory

CVE-2016-10184 was published in CVE/NVD on 2017-01-30. The NVD record was modified on 2026-05-13. The referenced technical advisory dates to 2016-09-28, so that source predates the CVE publication date and should not be treated as the CVE's