CVE-2020-13786

Vulnerability

D-Link DIR-865L hardware revision Ax running firmware version 1.20B01 Beta (released August 9, 2018) is vulnerable to Cross-Site Request Forgery (CSRF) [1][2]. The web interface does not properly validate or require a unique token for state-changing requests, allowing an attacker to forge requests on behalf of an authenticated administrator.

Exploitation

An attacker can craft a malicious HTML page or link that, when visited by an authenticated administrator, sends a forged request to the router's web interface [1]. No special network position is required; the attacker only needs to trick the victim into visiting a malicious site while logged into the router. The forged request can perform any action the administrator is authorized to do, such as changing settings or initiating file operations.

Impact

Successful CSRF exploitation allows an attacker to perform arbitrary actions on the router with administrative privileges, including modifying configuration, uploading malicious files, or deleting data [1]. This can lead to full compromise of the router and potential further network attacks. The CSRF vulnerability can be chained with other vulnerabilities (e.g., command injection, cleartext storage) to escalate impact [1].

Mitigation

D-Link has released a beta patch (available at the D-Link support announcement [2]), but the DIR-865L reached End of Support/End of Life on February 1, 2016 [2]. Users are strongly recommended to install the beta patch or upgrade to a supported router model. No other workarounds are documented [1][2].