Description
An issue was discovered in Gurux GXDLMS Director through 8.5.1905.1301. When downloading OBIS codes, it does not verify that the downloaded files are actual OBIS codes and doesn't check for path traversal. This allows the attacker exploiting CVE-2020-8809 to send executable files and place them in an autorun directory, or to place DLLs inside the existing GXDLMS Director installation (run on next execution of GXDLMS Director). This can be used to achieve code execution even if the user doesn't have any add-ins installed.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://seqred.pl/en/cve-gurux-gxdlms-director/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/seqred-s-a/gxdlmsdirector-cve
Scores
CVSS v3
8.1
EPSS
0.0211
EPSS Percentile
79.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
gurux/device_language_message_specification_director
< 8.5.1905.1301
Published
Feb 25, 2020
Tracked Since
Feb 18, 2026