CVE-2020-9377
Published: 09 July 2020
Summary
CVE-2020-9377 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-610 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
D-Link DIR-610 wireless routers contain an OS command injection vulnerability, identified as CVE-2020-9377 and assigned CWE-78. The flaw exists in the command.php script, which accepts an unsanitized cmd parameter that is passed directly to the underlying operating system. The vulnerability affects only devices that are no longer supported by the vendor.
An attacker with network access and a valid low-privileged account can send crafted HTTP requests containing arbitrary shell commands in the cmd parameter. Because the CVSS vector shows network attack vector, low complexity, and no user interaction, successful exploitation results in full command execution with impacts to confidentiality, integrity, and availability.
D-Link security advisory SAP10182 states that the DIR-610 has reached end-of-life and will receive no patches or ongoing support. The vendor directs users to the product page confirming the unsupported status and recommends replacing the device.
The published proof-of-concept on GitHub demonstrates direct remote command execution against exposed devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30198
Vulnerability details
D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement or isolation of the unsupported DIR-610 that receives no patches for the command.php flaw.
Mandates validation and sanitization of the unsanitized cmd parameter that enables OS command injection.
Enforces boundary protection to block network access to the vulnerable command.php endpoint on exposed routers.