cbcvebase.
CVE-2020-29557
published 2021-01-29

CVE-2020-29557: An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
54.32%
98.9th percentile
An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
dlinkdir-825_r1_firmware<= 3.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/check_browser?lang=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2020_29557, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22;)
  • Exploit traffic targets HTTP GET requests to the /check_browser?lang= URI on the device web interface; payloads exceeding 100 bytes in the lang parameter indicate a buffer overflow attempt (isdataat:100,relative).
  • Traffic direction is inbound to $HOME_NET/$HTTP_SERVERS; monitor perimeter and internal network segments for this pattern as noted in the Snort rule metadata.
  • The vulnerability is pre-authentication, meaning no valid session or credentials are required; any unauthenticated GET to /check_browser?lang= with a long value should be treated as a high-severity alert.
  • ·The Snort rule targets $HOME_NET and $HTTP_SERVERS; ensure D-Link DIR-825 R1 devices are included in these variable definitions for the rule to fire correctly.
  • ·Affected devices are D-Link DIR-825 R1 through firmware version 3.0.1 before 2020-11-20; devices patched after that date are not vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.