The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included three older security vulnerabilities affecting D-Link Wi-Fi cameras and network video recorders in its Known Exploited Vulnerabilities (KEV) catalog. This update follows new findings that these flaws are currently being exploited in real-world attacks.

The vulnerabilities, which were first disclosed in 2020 and 2022, are rated as high severity and include:

• CVE-2020-25078 (CVSS 7.5): An unspecified issue in D-Link DCS-2530L and DCS-2670L devices that could allow remote attackers to retrieve administrator credentials.
• CVE-2020-25079 (CVSS 8.8): An authenticated command injection flaw in the cgi-bin/ddns_enc.cgi component, also affecting the DCS-2530L and DCS-2670L models.
• CVE-2020-40799 (CVSS 8.8): A code download without integrity check vulnerability in the D-Link DNR-322L that could let an authenticated attacker execute OS-level commands.

Although CISA has not provided specific details on how these vulnerabilities are being exploited, the FBI issued a warning in December 2024 noting that HiatusRAT campaigns were actively scanning the internet for webcams exposed to CVE-2020-25078.

Importantly, the DNR-322L device has reached end-of-life (EoL) status as of November 2021, meaning no further updates or patches will be released for it. Users are strongly advised to retire and replace this model. Meanwhile, D-Link released fixes for the other two vulnerabilities back in 2020, and users should ensure their devices are up to date.

Given the ongoing exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to implement mitigation measures by August 26, 2025, to protect their systems and networks.

(Update: This article was revised to clarify that the vulnerabilities affect D-Link cameras and video recorders, not routers as previously stated.)

Source: https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.html