Cyber Resilience

CVE-2020-25506

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 February 2021

Published
02 February 2021
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9424 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-25506 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dns-320 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

D-Link DNS-320 firmware version 2.06B01 Revision Ax contains a command injection vulnerability in the system_mgr.cgi component, classified under CWE-78. The flaw permits unauthenticated remote attackers to execute arbitrary operating system commands on the affected network-attached storage device, as reflected in its CVSS 3.1 base score of 9.8 with a network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access to the device can submit specially crafted requests to system_mgr.cgi and obtain full control over the system, resulting in complete compromise of confidentiality, integrity, and availability without any prior authentication.

D-Link has published security advisories and support announcements, including SAP10183, that address the issue and are referenced from the vendor's security bulletin page. No information on real-world exploitation or additional mitigations beyond the referenced vendor publications is provided in the available details.

EU & UK References

Vulnerability details

D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dns-320 firmware
2.06b01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of all inputs to system_mgr.cgi, directly blocking the unsanitized command strings that enable the CWE-78 injection.

prevent

Requires prompt application of the vendor firmware update (SAP10183) that removes the command-injection flaw from the affected DNS-320 device.

prevent

Enforces authentication and authorization checks before any request reaches system_mgr.cgi, eliminating the unauthenticated remote execution path.

References