Remote Code Execution Flaw in D-Link DIR-846 Devices
CVE-2020-21016

9.8CRITICAL

Key Information:

Vendor: D-Link
Status: Dir-846 Firmware
Vendor: CVE Published:; 31 October 2022

Summary

A remote code execution vulnerability exists in D-Link DIR-846 devices running firmware version 100A35. Attackers can exploit this flaw to execute arbitrary code with root privileges through the HNAP1 interface, specifically via the SetGuestWLanSettings.php file. This may allow unauthorized access and control over the device, posing significant security risks for users.

References

https://www.dlink.com/en/security-bulletin/

https://github.com/dahua966/Routers-vuls/blob/master/DIR-...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2022
Vulnerability Reserved
Aug 13, 2020