Your D-Link Camera is a Target: CISA Warns of Actively Exploited Flaws
In recent months, cybercriminals have once again turned their attention to long-known vulnerabilities in popular models of D-Link Wi-Fi cameras and network video recorders. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added three such vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog—despite the fact that all were initially discovered several years ago. This move comes in response to fresh evidence that attackers continue to exploit these weaknesses across the globe, with real-world incidents already observed in operational networks.
The CISA list includes vulnerabilities affecting the D-Link DCS-2530L, DCS-2670L, and DNR-322L devices. The first, tracked as CVE-2020-25078 and rated 7.5 on the CVSS scale, enables remote access to a camera’s administrator password. Its exploitation requires no sophisticated methods—only the exploitation of flawed security mechanisms within the affected models, granting unauthorized access credentials with ease.
The second vulnerability, CVE-2020-25079, bears a higher severity score of 8.8 and involves command injection via the cgi-bin/ddns_enc.cgi component. Although exploitation requires authentication, once access is obtained, an attacker can execute arbitrary commands on the device—significantly broadening their control over the camera’s functions.
The third flaw, CVE-2020-40799, also rated 8.8, affects the D-Link DNR-322L network video recorder. It arises from a lack of integrity checks during code uploads, which, after successful authentication, allows attackers to execute arbitrary commands at the operating system level—paving the way for malware installation and full device compromise.
Of particular concern is that CVE-2020-40799 remains unpatched by the manufacturer. This is due to the DNR-322L having reached end-of-life status, with official support discontinued in November 2021. Owners of these devices are strongly urged to cease their use immediately and transition to modern, actively supported alternatives. Although patches for the other two models were issued in 2020, many organizations and individual users have yet to update their devices, leaving them exposed to ongoing threats.
The urgency of the issue is further underscored by a December 2024 FBI advisory warning that the HiatusRAT botnet was actively scanning the internet for cameras vulnerable to CVE-2020-25078. Such unprotected devices can be harnessed for espionage, infrastructure attacks, and the creation of new botnets—incidents that have already been documented in multiple countries.
U.S. federal civilian agencies face strict deadlines: all mitigation measures must be implemented by August 26, 2025. These directives are designed to safeguard critical networks from cyberattacks that could result in data breaches, surveillance interference, and other severe consequences. In today’s threat landscape, unsecured cameras are not only prime targets for compromise but also potent tools for large-scale cyber operations—their widespread presence amplifying the associated risks.
Given these developments, the imperative to update all devices—whether in enterprise or home environments—is more pressing than ever. Likewise, the immediate decommissioning of unsupported models is essential. Safeguarding digital infrastructure today demands swift, decisive action—even against so-called “legacy” threats, particularly when they remain actively exploited by real-world adversaries.
