CVE-2020-27862
HIGHD-Link DVA-2800 and DSL-2888A - Unauthenticated Remote Code Execution via dhttpd Path Parameter
Title source: llmDescription
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DVA-2800 and DSL-2888A routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the path parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-10911.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-1426/
Vendor Advisory x_refsource_misc
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10196
Scores
CVSS v3
8.8
EPSS
0.0337
EPSS Percentile
87.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (2)
dlink/dsl-2888a_firmware
2.30_au
dlink/dva-2800_firmware
2.30_au
Published
Feb 12, 2021
Tracked Since
Feb 18, 2026