CVE-2020-15893

Name of the Vulnerable Software and Affected Versions D-Link DIR-816L versions 2.x before 1.10b04Beta02

Description An issue exists in the Universal Plug and Play (UPnP) component of the D-Link DIR-816L device, where UPnP is enabled by default on port 1900. This allows an attacker to perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. The vulnerability can be exploited by a remote attacker to execute arbitrary commands.

Recommendations For D-Link DIR-816L versions 2.x before 1.10b04Beta02, update to version 1.10b04Beta02 or later to resolve the issue. As a temporary workaround, consider disabling the UPnP feature on port 1900 to minimize the risk of exploitation. Restrict access to the SSDP M-SEARCH discover packet to prevent command injection attacks. Avoid using the Search Target (ST) field in the SSDP M-SEARCH packet until the issue is resolved.