First published: Tue May 01 2018(Updated: )
On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Dlink Dcs-5009 Firmware | <=1.08.11 | |
Dlink Dcs-5009 | ||
Dlink Dcs-5010 Firmware | <=1.14.09 | |
Dlink Dcs-5010 | ||
Dlink Dcs-5020l Firmware | <=1.14.09 | |
Dlink Dcs-5020l |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-17020 is a command injection vulnerability found in D-Link DCS-5009, DCS-5010, and DCS-5020L devices with certain firmware versions.
CVE-2017-17020 allows remote authenticated attackers to execute arbitrary commands on affected D-Link DCS-5009, DCS-5010, and DCS-5020L devices.
CVE-2017-17020 has a severity rating of 8.8 (high).
Firmware version 1.08.11 and earlier for D-Link DCS-5009, version 1.14.09 and earlier for DCS-5010, and versions before 1.15.01 for DCS-5020L are vulnerable to CVE-2017-17020.
To fix CVE-2017-17020, users should update their D-Link DCS-5009, DCS-5010, and DCS-5020L devices to the latest firmware version provided by D-Link.