Remote Code Execution Vulnerability in D-Link Routers
CVE-2020-27862

8.8HIGH

Key Information:

Vendor: D-link
Status: Multiple Routers
Vendor: CVE Published:; 12 February 2021

Summary

This vulnerability permits attackers on the same network to execute arbitrary code on the D-Link DVA-2800 and DSL-2888A routers without requiring authentication. The flaw resides within the dhttpd service, which listens on TCP port 8008 by default. The service fails to validate user-supplied strings adequately when parsing the path parameter, enabling an attacker to manipulate the execution of a system call and potentially gain access to sensitive functionalities of the web server.

Affected Version(s)

Multiple Routers firmware version 2.3

References

https://www.zerodayinitiative.com/advisories/ZDI-20-1426/

x_refsource_MISC

https://supportannouncement.us.dlink.com/announcement/pub...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2021
Vulnerability Reserved
Oct 27, 2020

Credit

chung96vn ft phieulang