CVE-2020-25078
Published: 02 September 2020
Summary
CVE-2020-25078 is a high-severity an unspecified weakness vulnerability in Dlink Dcs-4603 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2020-25078 affects D-Link DCS-2530L devices prior to firmware version 1.06.01 Hotfix and DCS-2670L devices through version 2.02. The vulnerability resides in the unauthenticated /config/getuser endpoint, which exposes administrator credentials without requiring any form of authentication or user interaction.
An attacker with network reachability to an affected device can issue a direct request to the endpoint and retrieve the administrator password in plaintext. This yields full administrative access with a CVSS 3.1 score of 7.5, driven by the network attack vector, low complexity, and high confidentiality impact.
D-Link security advisories SAP10180 direct users to apply the specified hotfix for DCS-2530L and upgrade DCS-2670L firmware to a version beyond 2.02. The vendor also provides product-specific support pages listing the corrected releases.
No public evidence of in-the-wild exploitation is referenced in the available advisories or announcements.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17770
Vulnerability details
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
- CWE(s)
- KEV Date Added
- 05 August 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before any access to sensitive endpoints such as /config/getuser is granted.
Requires unique identification and authentication of users prior to allowing any interaction with device configuration functions.
Mandates that all remote access paths to the device implement authentication and access control, eliminating unauthenticated endpoints.