Detections
Analytics

D-Link DCS-2530L < 1.07 and DCS-2670L < 2.03 Multiple Vulnerabilities

high Nessus Plugin ID 316488

Synopsis

The IP Camera is affected by a command injection vulnerability.

Description

According to its self-reported version, D-Link IP Camera DCS-2530L on or before 1.05.05, and DCS-2670L on or before 2.02 are affected by multiple vulnerabilities.

 - A command injection vulnerability exists in affected devices due to the improper neutralization of special elements in cgi-bin/ddns_enc.cgi. An authenticated, remote attacker, can exploit this by manipulating structural command seperators to execute arbitrary commands. (CVE-2020-25079)

 - An authentication bypass vulnerability exists in affected devices due to the /config/getuser endpoint allowing for remote administrator password disclosure. An unauthenticated, remote attacker can exploit this, via sending a direct HTTP request, to bypass authentication and execute arbitrary actions with administrative privileges. (CVE-2020-25078)

Note that Nessus has not tested for this issue but has instead relied only on the camera's self-reported model and version.

Solution

Apply the vendor supplied hotfix per affected model, or upgrade to a supported device.

See Also

http://www.nessus.org/u?e142f957

Plugin Details

Severity: High

ID: 316488

File Name: d-link_ip_camera_CVE-2020-25079.nasl

Version: 1.2

Type: Remote

Family: CGI abuses

Published: 5/22/2026

Updated: 5/23/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2020-25079

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:dlink:camera

Required KB Items: installed_sw/D-Link IP Camera

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/26/2020

Vulnerability Publication Date: 9/2/2020

CISA Known Exploited Vulnerability Due Dates: 8/26/2025

Reference Information

CVE: CVE-2020-25078, CVE-2020-25079