CVE-2020-15633
HIGHD-Link DIR-867,DIR-878,DIR-882 <1.20B10_BETA - Auth Bypass
Title source: llmDescription
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-881/
Vendor Advisory x_refsource_misc
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186
Scores
CVSS v3
8.8
EPSS
0.0277
EPSS Percentile
84.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-288
Status
published
Products (3)
d-link/dir-867_firmware
< 1.20b10
d-link/dir-878_firmware
< 1.20b05
d-link/dir-882_firmware
Published
Jul 23, 2020
Tracked Since
Feb 18, 2026