CVE-2020-25078

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions D-Link DCS-2530L versions prior to 1.06.01 Hotfix D-Link DCS-2670L versions through 2.02

Description An issue exists on D-Link DCS-2530L and DCS-2670L devices. The unauthenticated

/config/getuser

endpoint allows for remote administrator password disclosure. This vulnerability is actively exploited in the wild, as confirmed by CISA’s Known Exploited Vulnerabilities (KEV) catalog. The HiatusRAT actors are targeting web cameras and DVRs, including those affected by this vulnerability.

Recommendations Update D-Link DCS-2530L to version 1.06.01 Hotfix or later. Update D-Link DCS-2670L to a version after 2.02.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-25078

Affected Products

D-Link Dcs-2530L

D-Link Dcs-2670L

CVE-2020-25078

Related Identifiers

Affected Products

References · 21