#VU25572 Incorrect Implementation of Authentication Algorithm in D-Link products - CVE-2020-8863
Published: February 25, 2020
Vulnerability identifier: #VU25572
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-8863
CWE-ID: CWE-303
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
DIR-867-US
DIR-878
DIR-882-US
DIR-867-US
DIR-878
DIR-882-US
Software vendor:
D-Link
D-Link
Description
The vulnerability allows a remote attacker to to bypass authentication process.
The vulnerability exists due to a lack of proper implementation of the authentication algorithm within the handling of HNAP PrivateLogin login requests. A remote attacker on the local network can bypass authentication and reset the admin password.
An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router.
Remediation
Install updates from vendor's website.