CVE-2020-13782

Vulnerability

The D-Link DIR-865L Ax router with firmware version 1.20B01 Beta (released August 9, 2018) contains a command injection vulnerability via the scandir.s... handler in the cgibin.exe backend engine that processes web interface requests [1]. The specific parameter and injection point are not disclosed in public references, but the bug is classified as improper neutralization of special elements used in a command (CWE-77) [2].

Exploitation

An attacker must be able to send HTTP requests to the router's web interface, which typically requires network access to the local LAN or the administrative interface if exposed to the WAN. No authentication is mentioned as required; the request is processed by cgibin.exe before any credential check. By crafting a malicious request with injected command sequences (e.g., via shell metacharacters) in the vulnerable parameter, an attacker can execute arbitrary system commands on the device [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the web server process (likely root on such embedded routers). This can lead to full device compromise, including exfiltration or modification of sensitive data (e.g., credentials stored in cleartext [CVE-2020-13783]), installation of persistent malware, denial of service, or use of the router as a pivot point for further network attacks [1].

Mitigation

D-Link has released a beta patch for this vulnerability, and users are strongly recommended to install it via the announcement at [2]. However, note that the DIR-865L reached its End of Support/End of Life (EOS/EOL) on February 1, 2016 [2]; thus, no further firmware updates beyond this beta are planned. If the patch cannot be applied, the only workaround is to replace the device or restrict LAN access to trusted users and disable remote administration. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2].