Multiple Security Vulnerabilities on D-LINK Home Routers

DLINK Router
Advisory ID:
CVE-2020-13782, CVE-2020-13786, CVE-2020-13785, CVE-2020-13784, CVE-2020-13783, CVE-2020-13787
June 17, 2020


Researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware. The reported vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. There are also likelihood that some of these vulnerabilities are present in newer models of the router because of the similiarities in codebase.

Description & Consequence

The vulnerabilities found in the DIR-865L model of D-Link routers increases the likelihood of a malicious attack to run arbitrary commands that could lead to a denial of service attack, sniff web traffic and use the session information to gain access to password-protected portions of the website without knowing the password, and conduct the CSRF attacks.

The following are the listed vulnerabilities that has been discovered in the D-LINK home routers.

  • Improper Neutralization of Special Elements used in a Command (Command Injection)             
  • Cross-Site Request Forgery (CSRF)                        
  • Inadequate Encryption Strength       
  • Predictable seed in Pseudo-Random Number Generator      
  • Cleartext Storage of Sensitive Information                 
  • Cleartext Transmission of Sensitive Information

Different combinations of these vulnerabilities can lead to significant risks. The malicious users can sniff network traffic to steal session cookies. With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack.


  • Install the latest version of the firmware with patches. The firmware can be found on the D-Link website where they announced the vulnerabilities: D-Link Announcement.
  • Default all traffic to HTTPS to defend against session hijacking attacks.
  • Change the time zone on the router to defend against malicious actors who are calculating the randomly generated session id. You can find how to do that on D-Link’s site.
  • Do not use this router to share sensitive information until it’s patched.



Related Articles