CVE-2020-29557 : An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-1

An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.

Published 2021-01-29 20:15:13

Updated 2025-03-14 17:29:14

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2020-29557

Dlink » Dir-825 R1 Firmware
Versions up to, including, (<=) 3.0.1
cpe:2.3:o:dlink:dir-825_r1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Dlink » Dir-825 » Version: R1
When used together with: Dlink » Dir-825/a » Version: D1A
When used together with: Dlink » Dir-825/ac » Version: E
When used together with: Dlink » Dir-825/ac » Version: E1A
When used together with: Dlink » Dir-825/acf » Version: F1
When used together with: Dlink » Dir-825/gf » Version: GF

CVE-2020-29557 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

D-Link DIR-825 R1 devices contain a buffer overflow vulnerability in the web interface that may allow for remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2020-29557

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2020-29557

EPSS FAQ

91.69%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-29557

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-29557

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2020-29557

https://shaqed.github.io/dlink/

Reversing DIR-825 Dlink router – Shaked Delarea – Security Researcher
Broken Link;Exploit;Third Party Advisory
https://www.dlink.ru/ru/download2/5/19/2354/441/

D-Link Загрузки
Product