CISA Adds Three D-Link Flaws to KEV Catalog: EOL IP Cameras Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning for organizations and government entities: three vulnerabilities in legacy D-Link devices are now under active exploitation, prompting urgent mitigation efforts, particularly across the Federal Civilian Executive Branch (FCEB).

The newly listed flaws—CVE-2020-25078, CVE-2020-25079, and CVE-2022-40799—affect several models of D-Link IP cameras and network video recorders, all of which have reached End-of-Life (EOL) or End-of-Service (EOS) status.

The first flaw, tracked as CVE-2020-25078, affects D-Link DCS-2530L and DCS-2670L devices, allowing unauthenticated attackers to retrieve the administrator password via a poorly protected endpoint:

“The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.”

This vulnerability has been patched in firmware v1.07.00 (DCS-2530L) and v2.03.00 (DCS-2670L), but remains dangerous due to widespread use of unpatched, aging hardware.

Also affecting the same devices, the CVE-2020-25079 vulnerability enables remote code execution through a command injection flaw:

“cgi-bin/ddns_enc.cgi allows authenticated command injection.”

Even though it requires authentication, attackers who exploit CVE-2020-25078 first could easily leverage this as a second-stage exploit.

Targeting the D-Link DNR-322L NVR, the CVE-2022-40799 vulnerability abuses the device’s backup/restore feature:

“Data Integrity Failure in ‘Backup Config’… enables editing of the bash script rc.init.sh that is executed when the device boots.”

A proof-of-concept (PoC) is publicly available, dramatically increasing the risk of exploitation in the wild.

All the affected models—including DCS-2530L, DCS-2670L, DCS-4603, DCS-4622, and DNR-322L—are officially unsupported. According to D-Link:

“All hardware revisions have reached their End of Life (‘EOL’) / End of Service Life (‘EOS’) life-cycle. D-Link US recommends these devices be retired and replaced.”

In light of active exploitation, CISA has mandated that all FCEB agencies must remediate these vulnerabilities by August 26, 2025. Failure to do so could expose critical government systems to external intrusion, surveillance hijacking, or lateral network movement.

Related Posts:

• D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Node.js to Issue CVE for End-of-Life Versions
• NVIDIA Extends Windows 10 Driver Support to October 2026, Offering Gamers a One-Year Reprieve
• Node.js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
• APT organization steals D-Link company digital certificate to sign its malware