CVE-2020-27862

Name of the Vulnerable Software and Affected Versions D-Link DVA-2800 versions prior to 2.3 D-Link DSL-2888A versions prior to 2.3

Description This issue allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link routers. Authentication is not required to exploit this issue. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the path parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of the web server.

Recommendations For D-Link DVA-2800 versions prior to 2.3, update to version 2.3 or later to resolve the issue. For D-Link DSL-2888A versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider disabling the dhttpd service until a patch is available. Restrict access to the dhttpd service, which listens on TCP port 8008 by default, to minimize the risk of exploitation.