Cyber Resilience

CVE-2015-1187

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 September 2017

Published
21 September 2017
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8288 99.3th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-1187 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dlink Dir-820L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2015-1187 resides in the ping tool of multiple D-Link and TRENDnet devices and is tracked under CWE-287 for improper authentication. Unauthenticated remote attackers can supply crafted input through the ping_addr parameter to ping.ccp, resulting in arbitrary code execution on the affected embedded devices.

Because the flaw is reachable over the network without credentials or user interaction, an attacker can achieve full control of the device, including the ability to read, modify, or delete data and disrupt device operation, consistent with the CVSS 9.8 rating.

Public disclosures and the D-Link advisory SAP10052 listed in the references document the affected models and parameter handling issue, while exploit code has been published on PacketStorm and Seclists. No information on patch availability or confirmed in-the-wild exploitation is provided in the supplied references.

EU & UK References

Vulnerability details

The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-626l firmware
1.04
dlink
dir-636l firmware
1.04
dlink
dir-808l firmware
1.03
dlink
dir-810l firmware
1.01, 2.02
dlink
dir-820l firmware
1.02, 1.05, 2.01
dlink
dir-826l firmware
1.00
dlink
dir-830l firmware
1.00
dlink
dir-836l firmware
1.01
trendnet
tew-731br firmware
2.01
dlink
dir-651 firmware
1.10na
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the ping.ccp interface so that unauthenticated remote attackers cannot reach the vulnerable ping_addr parameter.

prevent

Requires validation and sanitization of the ping_addr input, blocking the crafted values that produce arbitrary code execution.

AC-17 Remote Access partial match
prevent

Restricts and authorizes all remote management connections to the device, reducing the network-reachable attack surface that the unauthenticated ping.ccp flaw exposes.

References