Support Announcements
DIR-825 :: H//W Rev. Bx :: FW v2.10 :: CVE-2020-10213 / CVE-2020-10215 / CVE-2020-10216

Overview

 

A recent report from CISA on 03/17/2020 accuses the DIR-825 hardware revision Bx of multiple security vulnerabilities .

 

The DIR-825 has reached it's End-of-Support (EOS) date on 09/01/2015. The resources associated with EOS products have ceased their development and are no longer supported.


For US consumers,  D-Link Systems, Inc. recommends retiring these products and replacing them with products that receive firmware updates.

 

Thrid Party Report:

 

Discovered Publically Disclosure via CVE and POS found on GITHUB website

 

     - CVE-2020-10213 :: LINK :: Command Injection via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi

              -  GITHUB ::  LINK

     - CVE-2020-10215 :: LINK :: Command Injection via the dns_query_name parameter in a dns_query.cgi

              -  GITHUB :: LINK

     - CVE-2020-10216 :: LINK :: Command Injection via the date parameter in a system_time.cgi

             - GITHUB :: LINK

 

Recommendation for End of Service Life Products

 

While D-Link is aware of the alleged vulnerabilities involving the DIR-825, the product has reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. Once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.


From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.