Login Sign Up

CVE-2020-27864

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers on the same network to execute arbitrary code on D-Link DAP-1860 WiFi extenders without authentication. The flaw exists in the HNAP service's improper validation of user input before executing system commands. Only D-Link DAP-1860 devices running firmware version 1.04B03 are affected.

💻 Affected Systems

Products:
  • D-Link DAP-1860 WiFi Extender
Versions: Firmware version 1.04B03
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with HNAP service enabled (default). Requires network adjacency.

📦 What is this software?

Dap 1860 Firmware by Dlink

View all CVEs affecting Dap 1860 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, intercept network traffic, pivot to other devices, or brick the device.

🟠

Likely Case

Attackers gain full control of the WiFi extender to monitor/modify network traffic, create backdoors, or use as a foothold for further attacks.

🟢

If Mitigated

If properly segmented and patched, impact is limited to the isolated device with no lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access but no authentication. Public exploit details available in ZDI advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.04B04 or later

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10197

Restart Required: Yes

Instructions:

1. Download latest firmware from D-Link support site. 2. Log into device web interface. 3. Navigate to Firmware Update section. 4. Upload and apply new firmware. 5. Device will reboot automatically.

🔧 Temporary Workarounds

Disable HNAP Service

all

Disable the vulnerable HNAP service if not required for functionality.

Network Segmentation

all

Isolate WiFi extenders on separate VLAN from critical systems.

🧯 If You Can't Patch

  • Physically disconnect device from network until patched
  • Implement strict firewall rules to block all traffic to port 80 on affected devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device web interface or via SSH if enabled. Version 1.04B03 is vulnerable.

Check Version:

Check web interface System Status page or use: curl -s http://device-ip/HNAP1/ | grep -i version

Verify Fix Applied:

Verify firmware version is 1.04B04 or later after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HNAP service requests
  • Multiple failed authentication attempts to HNAP
  • System command execution logs

Network Indicators:

  • Unusual HTTP POST requests to /HNAP1/ endpoint
  • Traffic to port 80 from unexpected internal sources
  • Command injection patterns in HTTP headers

SIEM Query:

source="dlink-extender" AND (http_uri="/HNAP1/" OR http_user_agent CONTAINS "exploit")

📊 Metadata

CVE ID: CVE-2020-27864
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: February 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27864, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)