Authentication Bypass Vulnerability in D-Link DAP-1330 Wi-Fi Range Extenders
CVE-2020-8861

8.8HIGH

Key Information:

Vendor: D-link
Status: Dap-1330
Vendor: CVE Published:; 22 February 2020

Summary

A vulnerability in D-Link DAP-1330 Wi-Fi range extenders allows network-adjacent attackers to bypass authentication due to improper handling of HNAP login requests. This flaw arises from inadequate cookie management which can enable an attacker to execute arbitrary code on the device. This security issue poses a significant risk as authentication is not required for exploitation, allowing unauthorized access to the device.

Affected Version(s)

DAP-1330 1.10B01 BETA

References

https://www.zerodayinitiative.com/advisories/ZDI-20-265/

x_refsource_MISC

https://supportannouncement.us.dlink.com/announcement/pub...

x_refsource_MISC

EPSS Score

46% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 22, 2020
Vulnerability Reserved
Feb 11, 2020

Credit

chung96vn - Security Researcher of VinCSS (Member of Vingroup)