CVE-2020-10213

Name of the Vulnerable Software and Affected Versions D-Link DIR-825 Rev.B version 2.10 TRENDnet TEW-632BRP version 1.010B32

Description An issue exists that allows remote attackers to execute arbitrary commands via the wps sta enrollee pin parameter in a "set sta enrollee pin.cgi" POST request. The vulnerability is due to the lack of measures to neutralize special elements used in the operating system command. This can be exploited by a remote attacker to execute arbitrary commands.

Recommendations For D-Link DIR-825 Rev.B version 2.10, consider disabling the set sta enrollee pin.cgi function until a patch is available. For TRENDnet TEW-632BRP version 1.010B32, restrict access to the set sta enrollee pin.cgi module to minimize the risk of exploitation. Avoid using the wps sta enrollee pin parameter in the affected API endpoint until the issue is resolved.