Authentication Bypass Vulnerability in D-Link DIR-867, DIR-878, and DIR-882 Routers
CVE-2020-8863

8.8HIGH

Key Information:

Vendor: D-link
Status: Multiple Routers
Vendor: CVE Published:; 23 March 2020

Summary

This vulnerability enables attackers on the same network to bypass authentication in D-Link DIR-867, DIR-878, and DIR-882 routers, specifically those running firmware version 1.10B04. The flaw resides in the improper handling of HNAP login requests, leading to an unforeseen lack of necessary authentication. Consequently, attackers can exploit this weakness to escalate privileges and execute arbitrary code within the affected router's context, posing significant risks to network integrity and security.

Affected Version(s)

Multiple Routers 1.10B04

References

https://www.zerodayinitiative.com/advisories/ZDI-20-267/

x_refsource_MISC

https://supportannouncement.us.dlink.com/announcement/pub...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 23, 2020
Vulnerability Reserved
Feb 11, 2020

Credit

chung96vn - Security Researcher of VinCSS (Member of Vingroup)