CISA Warns of D-Link Vulnerabilities Actively Exploited in Attacks

Threat Score:
78
4 articles
83.0% similarity
2 hours ago

Activity Timeline

4 articles
Click to navigate
Aug 06
Aug 06
Aug 06
Aug 06
Oldest
Latest

Key Insights

1
CISA has added three critical vulnerabilities affecting D-Link devices to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting an urgent need for remediation among federal and private sectors.
2
The vulnerabilities include CVE-2020-25078 (CVSS score: 7.5), CVE-2020-25079 (CVSS score: 8.8), and CVE-2020-40799 (CVSS score: 8.8), which potentially allow unauthorized access and control over D-Link cameras and network video recorders.
3
CVE-2020-25078 allows remote administrator password disclosure, while CVE-2020-25079 enables command injection, and CVE-2020-40799 permits code execution without integrity checks, posing significant risks to connected networks.
4
CISA reported that these vulnerabilities are actively exploited in the wild, with malicious actors leveraging them to conduct broader attacks, as evidenced by previous HiatusRAT campaigns targeting vulnerable devices.
5
D-Link has released patches for the first two vulnerabilities, but CVE-2020-40799 remains unpatched due to the affected device's end-of-life status as of November 2021, prompting CISA to advise users to discontinue use of the DNR-322L.
6
Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to address vulnerabilities listed in the KEV Catalog, emphasizing the need for immediate action to safeguard networks.

Threat Overview

On August 5, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) escalated its efforts to protect U.S. networks by adding three vulnerabilities affecting D-Link devices to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities are actively being exploited by threat actors, prompting a call to action for both federal agencies and private organizations. CISA emphasized the growing trend of cyberattacks targeting networking and surveillance hardware, with the agency urging immediate remediation efforts. According to the alert, the vulnerabilities impact D-Link DCS-2530L, DCS-2670L cameras, and the DNR-322L network video recorder. The vulnerabilities are identified as CVE-2020-25078 (CVSS score: 7.5), CVE-2020-25079 (CVSS score: 8.8), and CVE-2020-40799 (CVSS score: 8.8). CVE-2020-25078 allows for remote administrator password disclosure, while CVE-2020-25079 enables authenticated command injection. CVE-2020-40799, which allows an authenticated attacker to execute operating system-level commands on the DNR-322L, remains unpatched as the device reached end-of-life status in November 2021. CISA's advisory follows a December 2024 FBI warning about HiatusRAT campaigns actively scanning for vulnerable devices. D-Link has released patches for the first two vulnerabilities, but users of the DNR-322L are advised to discontinue its use due to the lack of available fixes. CISA's Binding Operational Directive (BOD) 22-01 mandates that federal civilian executive branch agencies remediate all vulnerabilities listed in the KEV Catalog by specified deadlines. This directive establishes the KEV Catalog as a critical resource for identifying vulnerabilities that pose substantial risks to national security. CISA's alert serves as a critical reminder for organizations to assess their security posture and take necessary actions to mitigate the risks posed by these vulnerabilities. Immediate patching and device replacement are recommended as preventive measures against potential cyber threats.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Attackers are leveraging vulnerabilities in D-Link devices to gain unauthorized access to networks [2][4]
T1059.007
JavaScript/JScript - Command injection vulnerabilities allow attackers to execute arbitrary commands on vulnerable D-Link devices [1][2]
T1203
Exploitation for Client Execution - Malicious actors may exploit these vulnerabilities to run unauthorized code on affected devices [1][3]
T1557
Adversary-in-the-Middle - Exploiting vulnerabilities may allow attackers to intercept and manipulate communications between devices [1][4]
T1071
Application Layer Protocol - Attackers use application layer protocols to communicate with compromised D-Link devices [2][3]
T1070
Indicator Removal on Host - Attackers may attempt to cover their tracks after exploiting the vulnerabilities by removing logs [3][4]
T1046
Network Service Scanning - Scanning for vulnerable devices is a precursor to exploiting the identified vulnerabilities [1][2]

Timeline of Events

2020
D-Link releases initial versions of DCS-2530L and DCS-2670L devices and DNR-322L network video recorder.
2020-2022
Vulnerabilities CVE-2020-25078, CVE-2020-25079, and CVE-2020-40799 are discovered.
2024-12
FBI issues advisory warning about HiatusRAT campaigns targeting vulnerable D-Link devices [2].
2025-08-05
CISA adds vulnerabilities to the KEV Catalog, urging immediate action from federal and private sectors [1][4].
2025-08-06
D-Link confirms patch releases for CVE-2020-25078 and CVE-2020-25079, advises discontinuation of DNR-322L due to end-of-life status [2][3].

Source Citations

expert_quotes: {'FBI': 'Article 2', 'CISA': 'Article 1', 'D-Link': 'Article 2'}
primary_findings: {'Exploitation evidence': 'Articles 2, 4', 'CVE details and patches': 'Articles 1, 2', 'Vulnerable instance count': 'Article 4'}
technical_details: {'Attack methods': 'Articles 1, 2, 3', 'Persistence techniques': 'Articles 2, 4'}
Powered by ThreatCluster AI
Generated 1 hour ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

4 articles
1

CISA Warns of D-Link Vulnerabilities Actively Exploited in Attacks

Cybersecurity News 9 hours ago

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert, adding three vulnerabilities affecting D-Link devices to its Known Exploited Vulnerabilities (KEV) Catalog. The inclusion of these flaws in the catalog signifies that they are being actively exploited by malicious cyber actors in real-world attacks, posing a significant threat to networks. The […]

Score
82
93.0% similarity
Read more
2

CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports

The Hacker News 6 hours ago

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesdayaddedthree old security flaws impacting D-Link Wi-Fi cameras and video recorders to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The high-severity vulnerabilities, which are from 2020 and 2022, are listed below - CVE-2020-25078(CVSS score: 7.5) - An unspecified vulnerability in D-Link DCS-2530L and DCS-2670L devices that could allow for remote administrator passw

Score
80
96.0% similarity
Read more
3

CISA Alerts on Ongoing Exploits Targeting D-Link Device Vulnerabilities

GB Hackers 5 hours ago

CISA Alerts on Ongoing Exploits Targeting D-Link Device Vulnerabilities The Cybersecurity and Infrastructure Security Agency (CISA) has escalated its campaign to protect U.S. networks by adding three newly exploited D-Link device vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The alert, issued on August 5, 2025, emphasizes a rising trend of cyberattacks targeting networking and surveillance hardware, with federal agencies and private organizations urged to act immediately.

Score
78
96.0% similarity
Read more
4

U.S. CISA adds D-Link cameras and Network Video Recorder flaws to its Known Exploited Vulnerabilities catalog

Security Affairs 5 hours ago

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds D-Link cameras and Network Video Recorder flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the descriptions for these flaws: According to Binding Operational Directive (BOD) 22-01: […]

Score
62
89.0% similarity
Read more