Kevin R

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-890L versions 1.21B02beta01 and earlier D-Link DIR-885L/R versions 1.21B03beta01 and earlier D-Link DIR-895L/R versions 1.21B04beta04 and earlier **Description** The issue is related to the predictability of the "/docs/captcha (number).jpeg" URI in the administrator's panel, which can be accessed locally without authentication. This allows an attacker to disclose and manipulate CAPTCHAs, potentially leading to unauthorized login attempts to the access point. The vulnerability is associated with weaknesses in the authorization mechanism when handling the "docs/captcha (number).jpeg" file. **Recommendations** For D-Link DIR-890L versions 1.21B02beta01 and earlier, consider restricting access to the "/docs/captcha (number).jpeg" URI until a patch is available. For D-Link DIR-885L/R versions 1.21B03beta01 and earlier, avoid using the CAPTCHA mechanism for authentication until the issue is resolved. For D-Link DIR-895L/R versions 1.21B04beta04 and earlier, as a temporary workaround, consider disabling the CAPTCHA feature to minimize the risk of exploitation.