← back
CVE-2023-25280

CVE-2023-25280

CVSS 9.8 CRITICALEPSS 98.1%● KEVCWE-78
In short

A D-Link router has a critical flaw where attackers can inject malicious commands through the ping feature, allowing them to take complete control of the device with administrator privileges.

Technical detail

OS command injection vulnerability in the ping.ccp endpoint via the ping_addr parameter allows unauthenticated attackers to execute arbitrary commands with root privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system command execution functions.

Summary generated and translated by AI from the official description.
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-25280https://www.dlink.com/en/security-bulletin/