CVE-2021-27249

Name of the Vulnerable Software and Affected Versions D-Link DAP-2020 version 1.01rc001

Description The issue is related to the implementation of the WEB CmdFileList() function in the D-Link DAP-2020 Wi-Fi access point's firmware, which fails to neutralize special elements used in operating system commands when processing CGI scripts. This allows an attacker to execute arbitrary code on the device. The flaw exists due to the lack of proper validation of a user-supplied string before using it to execute a system call, enabling an attacker to execute code in the context of root. No authentication is required to exploit this issue.

Recommendations For D-Link DAP-2020 version 1.01rc001, consider disabling the WEB CmdFileList() function as a temporary workaround until a patch is available. Restrict access to CGI scripts to minimize the risk of exploitation. Avoid using user-supplied strings in system calls until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.