Remote Command Execution in D-Link DIR-825 and TRENDnet TEW-632BRP
CVE-2020-10215

8.8HIGH

Key Information:

Vendor: D-Link
Status: Dir-825 Firmware
Vendor: CVE Published:; 7 March 2020

Summary

A vulnerability has been identified in D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 that allows remote attackers to execute arbitrary commands on the affected devices. This occurs via the dns_query_name parameter in a specially crafted POST request to dns_query.cgi. Exploiting this vulnerability could enable unauthorized access and control over the affected devices, posing significant security risks to users. It is crucial to implement security measures and updates to mitigate this threat.

References

https://github.com/kuc001/IoTFirmware/blob/master/Trendne...

x_refsource_MISC

https://github.com/kuc001/IoTFirmware/blob/master/D-Link/...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2020
Vulnerability Reserved
Mar 7, 2020