On August 5, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by incorporating three significant security flaws affecting D-Link devices. This action follows confirmed reports of these vulnerabilities being actively exploited in real-world scenarios.
Detailed Overview of the Vulnerabilities:
1. CVE-2020-25078: This vulnerability, assigned a Common Vulnerability Scoring System (CVSS) score of 7.5, pertains to an unspecified issue in D-Link DCS-2530L and DCS-2670L devices. Exploitation could lead to the remote disclosure of administrator passwords, potentially granting unauthorized access to device configurations.
2. CVE-2020-25079: With a CVSS score of 8.8, this flaw involves an authenticated command injection vulnerability within the `cgi-bin/ddns_enc.cgi` component of D-Link DCS-2530L and DCS-2670L devices. Attackers with authentication credentials can execute arbitrary commands on the device, compromising its integrity and functionality.
3. CVE-2020-40799: Also rated with a CVSS score of 8.8, this vulnerability exists in the D-Link DNR-322L model. It allows for the download of code without an integrity check, enabling authenticated attackers to execute operating system-level commands, thereby taking full control of the device.
Context and Implications:
The inclusion of these vulnerabilities in the KEV catalog underscores the critical nature of these security issues. While specific details on the exploitation methods remain undisclosed, a December 2024 advisory from the U.S. Federal Bureau of Investigation (FBI) highlighted that HiatusRAT campaigns were actively scanning for web cameras susceptible to CVE-2020-25078.
Notably, CVE-2020-40799 remains unpatched due to the DNR-322L model reaching its end-of-life (EoL) status in November 2021. Users relying on this model are strongly advised to discontinue its use and transition to supported devices to mitigate security risks. Conversely, D-Link released patches for CVE-2020-25078 and CVE-2020-25079 in 2020. Users of DCS-2530L and DCS-2670L devices should ensure these updates are applied promptly to safeguard against potential exploits.
Recommendations for Federal Agencies:
In response to the active exploitation of these vulnerabilities, CISA mandates that Federal Civilian Executive Branch (FCEB) agencies implement necessary mitigation measures by August 26, 2025. This directive aims to fortify network defenses and prevent unauthorized access or control over critical infrastructure.
Broader Implications for Organizations:
While the immediate directive targets federal agencies, the implications extend to all organizations utilizing D-Link devices. The active exploitation of these vulnerabilities highlights the persistent threats targeting networked devices, especially those that have reached EoL status.
Recommended Actions:
– Immediate Patching: For devices still supported by D-Link, promptly apply the latest firmware updates to address known vulnerabilities.
– Device Replacement: For EoL devices like the DNR-322L, replace them with current models that receive regular security updates.
– Network Monitoring: Implement continuous monitoring to detect unusual activities that may indicate exploitation attempts.
– Access Controls: Restrict device access to authorized personnel and employ strong, unique passwords to enhance security.
Conclusion:
The proactive inclusion of these D-Link vulnerabilities in CISA’s KEV catalog serves as a critical reminder of the importance of maintaining up-to-date security measures. Organizations must remain vigilant, ensuring that all devices are patched, monitored, and, when necessary, replaced to mitigate the risks associated with known exploited vulnerabilities.
