CVE-2020-25367: A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firm...
A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firmware V1.0.2B05. An attacker is able to execute arbitrary web scripts via shell metacharacters in the Captcha field to Login.
Security readout for executives and security teams
Plain-English summary
CVE-2020-25367 is a command injection issue in D-Link DIR-823G routers running firmware V1.0.2B05. The reported flaw is in the HNAP1 login handling, where the Captcha field can accept shell metacharacters. For businesses, the concern is compromise of a network edge device if affected routers are deployed.
Executive priority
Treat as high priority if DIR-823G routers are present, especially at branch offices or exposed edges. Confirm inventory first, then reduce management exposure and seek vendor firmware guidance. There is no source-confirmed active exploitation, but command injection on a router can create serious business impact.
Technical view
The CVE describes command injection in the HNAP1 protocol of D-Link DIR-823G firmware V1.0.2B05. Input in the Login Captcha field is reportedly not safely handled, allowing arbitrary command/script execution through shell metacharacters. The source bundle provides no CVSS score, CWE, confirmed patch version, or vendor remediation details specific to this CVE.
Likely exposure
Exposure is limited to D-Link DIR-823G devices running firmware V1.0.2B05. Risk increases if the router management interface or HNAP1 endpoint is reachable from untrusted networks, including the internet. The provided data does not identify other affected models or firmware versions.
Exploitation context
The CVE record references a public researcher write-up and D-Link’s security bulletin page. CISA KEV status is false in the provided bundle, and no cited source states active exploitation. The issue appears reachable through login-related HNAP1 handling, but authentication requirements are not fully clarified in the sources.
Researcher notes
Evidence is sparse: no CVSS, CWE, detailed vendor advisory, or fixed version is included in the bundle. Analysis should remain scoped to DIR-823G firmware V1.0.2B05 unless additional vendor data confirms more. Avoid assuming active exploitation; KEV is false in the provided data.
Mitigation direction
Check D-Link’s security bulletin and support resources for firmware guidance.
Update affected DIR-823G devices if D-Link provides a fixed firmware.
Disable internet exposure of router administration and HNAP1 interfaces.
Restrict management access to trusted internal networks or VPN only.
Replace unsupported devices if no vendor fix is available.
Validation and detection
Inventory D-Link DIR-823G routers and record firmware versions.
Identify any devices running firmware V1.0.2B05.
Confirm whether HNAP1 or admin interfaces are reachable externally.
Review firewall and remote-management settings for exposed router management.
Monitor logs for suspicious login or management-interface activity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Nov 4, 2021, 09:58 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.