← Back

CVE-2020-27862

nvd nist
Published: Feb 12, 2021Modified: Jun 17, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DVA-2800 and DSL-2888A routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the path parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-10911.

Affected (2)

Dlink
2 products
Dva 2800 Firmware
Dsl 2888a Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Dva 2800 Firmware
Version 2.30_au
Running on/withPlatform Versions
Dlink
Dva 2800
Version revision_t
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Dsl 2888a Firmware
Version 2.30_au
Running on/withPlatform Versions
Dlink
Dsl 2888a
Version revision_t

Related CWEs

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

Source: zdi-disclosures@trendmicro.com
Vendor Advisory
Source: zdi-disclosures@trendmicro.com
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry

Timeline

No history available yet.