CVE-2020-25506

CRITICAL KEV NUCLEI

Dlink Dns-320 Firmware - OS Command Injection

Title source: rule

Description

D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.

Nuclei Templates (1)

D-Link DNS-320 - Unauthenticated Remote Code Execution

CRITICALby gy741

Shodan: http.html:"sharecenter"

FOFA: body="sharecenter"

References (4)

[Exploit, Third Party Advisory] https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675

[Vendor Advisory] https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183

[Vendor Advisory] https://www.dlink.com/en/security-bulletin/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25506

Scores

CVSS v3 9.8

EPSS 0.9429

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-03-15

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-18191

CWE

CWE-78

Status published

Products (1)

dlink/dns-320_firmware 2.06b01

Published Feb 02, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026