CVE-2020-25757

Name of the Vulnerable Software and Affected Versions D-Link DSR-150 versions 3.14 through 3.17 D-Link DSR-250 versions 3.14 through 3.17 D-Link DSR-500 versions 3.14 through 3.17 D-Link DSR-1000AC versions 3.14 through 3.17

Description A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges.

Recommendations For D-Link DSR-150 version 3.14, update to a version that includes the necessary input validation and access controls. For D-Link DSR-150 version 3.17, update to a version that includes the necessary input validation and access controls. For D-Link DSR-250 version 3.14, update to a version that includes the necessary input validation and access controls. For D-Link DSR-250 version 3.17, update to a version that includes the necessary input validation and access controls. For D-Link DSR-500 version 3.14, update to a version that includes the necessary input validation and access controls. For D-Link DSR-500 version 3.17, update to a version that includes the necessary input validation and access controls. For D-Link DSR-1000AC version 3.14, update to a version that includes the necessary input validation and access controls. For D-Link DSR-1000AC version 3.17, update to a version that includes the necessary input validation and access controls. As a temporary workaround, consider disabling the Lua CGIs on the affected D-Link DSR VPN routers until a patch is available.