CVE-2020-25506
Published: 02 February 2021
Summary
CVE-2020-25506 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dns-320 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
D-Link DNS-320 firmware version 2.06B01 Revision Ax contains a command injection vulnerability in the system_mgr.cgi component, classified under CWE-78. The flaw permits unauthenticated remote attackers to execute arbitrary operating system commands on the affected network-attached storage device, as reflected in its CVSS 3.1 base score of 9.8 with a network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network access to the device can submit specially crafted requests to system_mgr.cgi and obtain full control over the system, resulting in complete compromise of confidentiality, integrity, and availability without any prior authentication.
D-Link has published security advisories and support announcements, including SAP10183, that address the issue and are referenced from the vendor's security bulletin page. No information on real-world exploitation or additional mitigations beyond the referenced vendor publications is provided in the available details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-18191
Vulnerability details
D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of all inputs to system_mgr.cgi, directly blocking the unsanitized command strings that enable the CWE-78 injection.
Requires prompt application of the vendor firmware update (SAP10183) that removes the command-injection flaw from the affected DNS-320 device.
Enforces authentication and authorization checks before any request reaches system_mgr.cgi, eliminating the unauthenticated remote execution path.