CVE-2020-25506

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-78

In short

D-Link DNS-320 routers with firmware version 2.06B01 have a security flaw that allows attackers to run arbitrary commands on the device remotely without authentication, potentially taking complete control of the router.

Technical detail

Command injection vulnerability in system_mgr.cgi endpoint allows unauthenticated remote attackers to execute arbitrary OS commands via specially crafted input, leading to complete system compromise. The vulnerability exists in the command processing logic that fails to properly sanitize user input before passing it to shell execution functions.

Summary generated and translated by AI from the official description.

D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25506 https://www.dlink.com/en/security-bulletin/