CVE-2021-27250
moderate-risk
Published 2021-04-14
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856.
Do I need to act?
!
70.6% chance of exploitation in next 30 days
EPSS score — higher than 29% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
ADJACENT_NETWORK
/ LOW complexity
Affected Products (1)
Dap-2020 Firmware
Affected Vendors
References (4)
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-205/
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-205/
45
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
19/34 · Moderate
Exposure
5/34 · Minimal