← back
CVE-2023-25280

CVE-2023-25280

CVSS 9.8 CRITICALEPSS 98.1%● KEVCWE-78
Vexday Risk Score
95Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 98.1%KEV simPoC Nuclei simMetasploit Patch
Lifecycle
16 Mar 2023Published on NVD
30 Sep 2024Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A D-Link router has a critical flaw where attackers can inject malicious commands through the ping feature, allowing them to take complete control of the device with administrator privileges.

Technical detail

OS command injection vulnerability in the ping.ccp endpoint via the ping_addr parameter allows unauthenticated attackers to execute arbitrary commands with root privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system command execution functions.

Summary generated and translated by AI from the official description.
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-25280https://www.dlink.com/en/security-bulletin/