First published: Thu Feb 11 2021(Updated: )
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the uhttpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the device. Was ZDI-CAN-10894.
Credit: zdi-disclosures@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
D-Link DAP-1860 | ||
Dlink Dap-1860 Firmware | <=1.04b03 | |
Dlink Dap-1860 | =ax |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-27865 is a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders.
No, authentication is not required to exploit this vulnerability.
The uhttpd service is affected by CVE-2020-27865.
CVE-2020-27865 has a severity value of 8.8, which is considered high.
The vendor, D-Link, has released firmware version 1.05B01 that addresses this vulnerability. It is recommended to update to the latest firmware version.