CISA has included three D-Link vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog due to indications of ongoing exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added three significant security vulnerabilities affecting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. These high-severity vulnerabilities, identified as CVE-2020-25078, CVE-2020-25079, and CVE-2020-40799, stem from 2020 and 2022. CVE-2020-25078, with a CVSS score of 7.5, allows for remote administrator password disclosure in D-Link DCS-2530L and DCS-2670L devices. CVE-2020-25079, rated at 8.8, is an authenticated command injection vulnerability in the cgi-bin/ddns_enc.cgi component of the same devices. CVE-2020-40799, also scoring 8.8, permits an authenticated attacker to execute operating system-level commands on the D-Link DNR-322L due to a lack of integrity checks during code downloads.

Currently, there are no specific details on how these vulnerabilities are being exploited, although a December 2024 advisory from the U.S. Federal Bureau of Investigation (FBI) highlighted HiatusRAT campaigns targeting vulnerable web cameras associated with CVE-2020-25078. Notably, CVE-2020-40799 remains unpatched as the affected model reached end-of-life (EoL) status in November 2021, prompting users to discontinue and replace the DNR-322L. D-Link released fixes for the other two vulnerabilities in 2020. In light of ongoing exploitation, it is crucial for Federal Civilian Executive Branch (FCEB) agencies to implement necessary mitigation measures by August 26, 2025, to safeguard their networks.